製品・ソフトウェアに関する情報

JVN脆弱性詳細

Oracle MySQL および MariaDB における SQL インジェクションの脆弱性

Title	Oracle MySQL および MariaDB における SQL インジェクションの脆弱性
Summary	Oracle MySQL および MariaDB のレプリケーションコードには、バイナリログに関する処理に不備があるため、SQL インジェクションの脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、任意の SQL コマンドを実行される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Jan. 22, 2013, midnight
Registration Date	Jan. 24, 2013, 2:44 p.m.
Last Update	Feb. 17, 2016, 4:35 p.m.

CVSS2.0 : 警告
Score	6.5
Vector	AV:N/AC:L/Au:S/C:P/I:P/A:P

Affected System

オラクル

MySQL 5.5.29 未満

MariaDB Corporation Ab.

MariaDB 5.1.x から 5.1.62

MariaDB 5.2.x から 5.2.12

MariaDB 5.3.x から 5.3.7

MariaDB 5.5.x から 5.5.25

MariaDB 5.1.x から 5.1.62

MariaDB 5.2.x から 5.2.12

MariaDB 5.3.x から 5.3.7

MariaDB 5.5.x から 5.5.25

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-4414	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4414
2	CVE-2012-4414	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4414
National Vulnerability Database (NVD)
3	CVE-2012-4414	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4414
4	CVE-2012-4414	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4414

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-89	https://jvndb.jvn.jp/ja/cwe/CWE-89.html
2	CWE-89	https://jvndb.jvn.jp/ja/cwe/CWE-89.html

ベンダー情報

No	Name	URL
AskMonty Knowledgebase
1	MariaDB 5.2.13 Release Notes	https://mariadb.com/kb/en/mariadb/mariadb-5213-release-notes/
2	MariaDB 5.2.13 Release Notes	https://mariadb.com/kb/en/mariadb/mariadb-5213-release-notes/
MariaDB Development
3	MDEV-382	https://mariadb.atlassian.net/browse/MDEV-382
4	MDEV-382	https://mariadb.atlassian.net/browse/MDEV-382
Red Hat Bugzilla
5	Bug 852144	https://bugzilla.redhat.com/show_bug.cgi?id=852144
6	Bug 852144	https://bugzilla.redhat.com/show_bug.cgi?id=852144

Change Log

No	Changed Details	Date of change
0	[2013年01月24日] 掲載 [2016年02月17日] ベンダ情報：MariaDB Corporation Ab. (MariaDB 5.2.13 Release Notes) を追加	Feb. 17, 2018, 10:37 a.m.
0	[2013年01月24日] 掲載 [2016年02月17日] ベンダ情報：MariaDB Corporation Ab. (MariaDB 5.2.13 Release Notes) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2012-4414

Summary	Multiple SQL injection vulnerabilities in the replication code in Oracle MySQL possibly before 5.5.29, and MariaDB 5.1.x through 5.1.62, 5.2.x through 5.2.12, 5.3.x through 5.3.7, and 5.5.x through 5.5.25, allow remote authenticated users to execute arbitrary SQL commands via vectors related to the binary log. NOTE: as of 20130116, Oracle has not commented on claims from a downstream vendor that the fix in MySQL 5.5.29 is incomplete.
Publication Date	Jan. 23, 2013, 8:55 a.m.
Registration Date	Jan. 28, 2021, 3:03 p.m.
Last Update	Nov. 21, 2024, 10:42 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:oracle:mysql:5.5.10:::::::*
cpe:2.3:a:oracle:mysql:5.1.63:::::::*
cpe:2.3:a:oracle:mysql:5.1.52:::::::*
cpe:2.3:a:oracle:mysql:5.1.59:::::::*
cpe:2.3:a:oracle:mysql:5.5.27:::::::*
cpe:2.3:a:oracle:mysql:5.1.51:::::::*
cpe:2.3:a:oracle:mysql:5.1.62:::::::*
cpe:2.3:a:oracle:mysql:5.1.60:::::::*
cpe:2.3:a:oracle:mysql:5.5.19:::::::*
cpe:2.3:a:oracle:mysql:5.1.52:sp1::::::
cpe:2.3:a:oracle:mysql:5.1.54:::::::*
cpe:2.3:a:oracle:mysql:5.1.53:::::::*
cpe:2.3:a:oracle:mysql:5.5.17:::::::*
cpe:2.3:a:oracle:mysql:5.1.61:::::::*
cpe:2.3:a:oracle:mysql:5.1.55:::::::*
cpe:2.3:a:oracle:mysql:5.1.57:::::::*
cpe:2.3:a:oracle:mysql:5.5.22:::::::*
cpe:2.3:a:oracle:mysql:5.5.14:::::::*
cpe:2.3:a:oracle:mysql::::::::		5.5.28
cpe:2.3:a:oracle:mysql:5.5.16:::::::*
cpe:2.3:a:oracle:mysql:5.5.11:::::::*
cpe:2.3:a:oracle:mysql:5.1.65:::::::*
cpe:2.3:a:oracle:mysql:5.5.21:::::::*
cpe:2.3:a:oracle:mysql:5.1.58:::::::*
cpe:2.3:a:oracle:mysql:5.5.26:::::::*
cpe:2.3:a:oracle:mysql:5.5.20:::::::*
cpe:2.3:a:oracle:mysql:5.5.18:::::::*
cpe:2.3:a:oracle:mysql:5.5.24:::::::*
cpe:2.3:a:oracle:mysql:5.5.25:::::::*
cpe:2.3:a:oracle:mysql:5.1.66:::::::*
cpe:2.3:a:oracle:mysql:5.5.15:::::::*
cpe:2.3:a:oracle:mysql:5.1.64:::::::*
cpe:2.3:a:oracle:mysql:5.1.67:::::::*
cpe:2.3:a:oracle:mysql:5.1.56:::::::*
cpe:2.3:a:oracle:mysql:5.5.13:::::::*
cpe:2.3:a:oracle:mysql:5.5.25:a::::::
cpe:2.3:a:oracle:mysql:5.5.12:::::::*
cpe:2.3:a:oracle:mysql:5.5.23:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:mariadb:mariadb:5.1.49:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.47:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.51:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.42:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.61:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.50:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.53:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.62:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.44:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.55:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.41:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.60:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:mariadb:mariadb:5.2.10:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.7:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.9:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.6:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.1:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.4:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.8:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.11:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.12:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.0:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.5:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.3:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.2:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:mariadb:mariadb:5.3.1:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.0:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.4:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.5:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.6:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.7:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.2:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.3:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:mariadb:mariadb:5.5.20:::::::*
cpe:2.3:a:mariadb:mariadb:5.5.22:::::::*
cpe:2.3:a:mariadb:mariadb:5.5.23:::::::*
cpe:2.3:a:mariadb:mariadb:5.5.21:::::::*
cpe:2.3:a:mariadb:mariadb:5.5.24:::::::*
cpe:2.3:a:mariadb:mariadb:5.5.25:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	http://bugs.mysql.com/bug.php?id=66550
2	http://bugs.mysql.com/bug.php?id=66550
3	http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00000.html
4	http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00000.html
5	http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00002.html
6	http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00002.html
7	http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00013.html
8	http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00013.html
9	http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00020.html
10	http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00020.html
11	http://www.mandriva.com/security/advisories?name=MDVSA-2013:102
12	http://www.mandriva.com/security/advisories?name=MDVSA-2013:102
13	http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
14	http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
15	http://www.mysqlperformanceblog.com/2013/01/13/cve-2012-4414-in-mysql-5-5-29-and-percona-server-5-5-29/
16	http://www.mysqlperformanceblog.com/2013/01/13/cve-2012-4414-in-mysql-5-5-29-and-percona-server-5-5-29/
17	http://www.openwall.com/lists/oss-security/2012/09/11/4
18	http://www.openwall.com/lists/oss-security/2012/09/11/4
19	http://www.securityfocus.com/bid/55498
20	http://www.securityfocus.com/bid/55498
21	https://bugzilla.redhat.com/show_bug.cgi?id=852144
22	https://bugzilla.redhat.com/show_bug.cgi?id=852144
23	https://mariadb.atlassian.net/browse/MDEV-382
24	https://mariadb.atlassian.net/browse/MDEV-382

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-89	SQLインジェクション	https://cwe.mitre.org/data/definitions/89.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:oracle:mysql:5.5.10:::::::*
cpe:2.3:a:oracle:mysql:5.1.63:::::::*
cpe:2.3:a:oracle:mysql:5.1.52:::::::*
cpe:2.3:a:oracle:mysql:5.1.59:::::::*
cpe:2.3:a:oracle:mysql:5.5.27:::::::*
cpe:2.3:a:oracle:mysql:5.1.51:::::::*
cpe:2.3:a:oracle:mysql:5.1.62:::::::*
cpe:2.3:a:oracle:mysql:5.1.60:::::::*
cpe:2.3:a:oracle:mysql:5.5.19:::::::*
cpe:2.3:a:oracle:mysql:5.1.52:sp1::::::
cpe:2.3:a:oracle:mysql:5.1.54:::::::*
cpe:2.3:a:oracle:mysql:5.1.53:::::::*
cpe:2.3:a:oracle:mysql:5.5.17:::::::*
cpe:2.3:a:oracle:mysql:5.1.61:::::::*
cpe:2.3:a:oracle:mysql:5.1.55:::::::*
cpe:2.3:a:oracle:mysql:5.1.57:::::::*
cpe:2.3:a:oracle:mysql:5.5.22:::::::*
cpe:2.3:a:oracle:mysql:5.5.14:::::::*
cpe:2.3:a:oracle:mysql::::::::		5.5.28
cpe:2.3:a:oracle:mysql:5.5.16:::::::*
cpe:2.3:a:oracle:mysql:5.5.11:::::::*
cpe:2.3:a:oracle:mysql:5.1.65:::::::*
cpe:2.3:a:oracle:mysql:5.5.21:::::::*
cpe:2.3:a:oracle:mysql:5.1.58:::::::*
cpe:2.3:a:oracle:mysql:5.5.26:::::::*
cpe:2.3:a:oracle:mysql:5.5.20:::::::*
cpe:2.3:a:oracle:mysql:5.5.18:::::::*
cpe:2.3:a:oracle:mysql:5.5.24:::::::*
cpe:2.3:a:oracle:mysql:5.5.25:::::::*
cpe:2.3:a:oracle:mysql:5.1.66:::::::*
cpe:2.3:a:oracle:mysql:5.5.15:::::::*
cpe:2.3:a:oracle:mysql:5.1.64:::::::*
cpe:2.3:a:oracle:mysql:5.1.67:::::::*
cpe:2.3:a:oracle:mysql:5.1.56:::::::*
cpe:2.3:a:oracle:mysql:5.5.13:::::::*
cpe:2.3:a:oracle:mysql:5.5.25:a::::::
cpe:2.3:a:oracle:mysql:5.5.12:::::::*
cpe:2.3:a:oracle:mysql:5.5.23:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:mariadb:mariadb:5.1.49:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.47:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.51:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.42:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.61:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.50:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.53:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.62:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.44:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.55:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.41:::::::*
cpe:2.3:a:mariadb:mariadb:5.1.60:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:mariadb:mariadb:5.2.10:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.7:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.9:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.6:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.1:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.4:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.8:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.11:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.12:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.0:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.5:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.3:::::::*
cpe:2.3:a:mariadb:mariadb:5.2.2:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:mariadb:mariadb:5.3.1:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.0:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.4:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.5:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.6:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.7:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.2:::::::*
cpe:2.3:a:mariadb:mariadb:5.3.3:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:mariadb:mariadb:5.5.20:::::::*
cpe:2.3:a:mariadb:mariadb:5.5.22:::::::*
cpe:2.3:a:mariadb:mariadb:5.5.23:::::::*
cpe:2.3:a:mariadb:mariadb:5.5.21:::::::*
cpe:2.3:a:mariadb:mariadb:5.5.24:::::::*
cpe:2.3:a:mariadb:mariadb:5.5.25:::::::*