CVE-2002-1374 | Vulnerability Database | Aqua Security

The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x before 4.0.6, allows remote attackers to gain privileges via a brute force attack using a one-character password, which causes MySQL to only compare the provided password against the first character of the real password.

Affected Software

Name	Vendor	Start Version	End Version
Mysql	Oracle	3.22.26 (including)	3.22.26 (including)
Mysql	Oracle	3.22.27 (including)	3.22.27 (including)
Mysql	Oracle	3.22.28 (including)	3.22.28 (including)
Mysql	Oracle	3.22.29 (including)	3.22.29 (including)
Mysql	Oracle	3.22.30 (including)	3.22.30 (including)
Mysql	Oracle	3.22.32 (including)	3.22.32 (including)
Mysql	Oracle	3.23.2 (including)	3.23.2 (including)
Mysql	Oracle	3.23.3 (including)	3.23.3 (including)
Mysql	Oracle	3.23.4 (including)	3.23.4 (including)
Mysql	Oracle	3.23.5 (including)	3.23.5 (including)
Mysql	Oracle	3.23.8 (including)	3.23.8 (including)
Mysql	Oracle	3.23.9 (including)	3.23.9 (including)
Mysql	Oracle	3.23.10 (including)	3.23.10 (including)
Mysql	Oracle	3.23.23 (including)	3.23.23 (including)
Mysql	Oracle	3.23.24 (including)	3.23.24 (including)
Mysql	Oracle	3.23.25 (including)	3.23.25 (including)
Mysql	Oracle	3.23.26 (including)	3.23.26 (including)
Mysql	Oracle	3.23.27 (including)	3.23.27 (including)
Mysql	Oracle	3.23.28 (including)	3.23.28 (including)
Mysql	Oracle	3.23.29 (including)	3.23.29 (including)
Mysql	Oracle	3.23.30 (including)	3.23.30 (including)
Mysql	Oracle	3.23.31 (including)	3.23.31 (including)
Mysql	Oracle	3.23.34 (including)	3.23.34 (including)
Mysql	Oracle	3.23.36 (including)	3.23.36 (including)
Mysql	Oracle	3.23.37 (including)	3.23.37 (including)
Mysql	Oracle	3.23.38 (including)	3.23.38 (including)
Mysql	Oracle	3.23.39 (including)	3.23.39 (including)
Mysql	Oracle	3.23.40 (including)	3.23.40 (including)
Mysql	Oracle	3.23.41 (including)	3.23.41 (including)
Mysql	Oracle	3.23.42 (including)	3.23.42 (including)
Mysql	Oracle	3.23.43 (including)	3.23.43 (including)
Mysql	Oracle	3.23.44 (including)	3.23.44 (including)
Mysql	Oracle	3.23.45 (including)	3.23.45 (including)
Mysql	Oracle	3.23.46 (including)	3.23.46 (including)
Mysql	Oracle	3.23.47 (including)	3.23.47 (including)
Mysql	Oracle	3.23.48 (including)	3.23.48 (including)
Mysql	Oracle	3.23.49 (including)	3.23.49 (including)
Mysql	Oracle	3.23.50 (including)	3.23.50 (including)
Mysql	Oracle	3.23.51 (including)	3.23.51 (including)
Mysql	Oracle	3.23.52 (including)	3.23.52 (including)
Mysql	Oracle	3.23.53 (including)	3.23.53 (including)
Mysql	Oracle	3.23.53a (including)	3.23.53a (including)
Mysql	Oracle	4.0.0 (including)	4.0.0 (including)
Mysql	Oracle	4.0.1 (including)	4.0.1 (including)
Mysql	Oracle	4.0.2 (including)	4.0.2 (including)
Mysql	Oracle	4.0.3 (including)	4.0.3 (including)
Mysql	Oracle	4.0.5a (including)	4.0.5a (including)
Netbackup_advanced_reporter	Symantec_veritas	3.4 (including)	3.4 (including)
Netbackup_advanced_reporter	Symantec_veritas	4.5 (including)	4.5 (including)
Netbackup_advanced_reporter	Symantec_veritas	4.5_fp1 (including)	4.5_fp1 (including)
Netbackup_advanced_reporter	Symantec_veritas	4.5_fp2 (including)	4.5_fp2 (including)
Netbackup_advanced_reporter	Symantec_veritas	4.5_fp3 (including)	4.5_fp3 (including)
Netbackup_advanced_reporter	Symantec_veritas	4.5_mp1 (including)	4.5_mp1 (including)
Netbackup_advanced_reporter	Symantec_veritas	4.5_mp2 (including)	4.5_mp2 (including)
Netbackup_advanced_reporter	Symantec_veritas	4.5_mp3 (including)	4.5_mp3 (including)
Netbackup_global_data_manager	Symantec_veritas	4.5 (including)	4.5 (including)
Netbackup_global_data_manager	Symantec_veritas	4.5_fp1 (including)	4.5_fp1 (including)
Netbackup_global_data_manager	Symantec_veritas	4.5_fp2 (including)	4.5_fp2 (including)
Netbackup_global_data_manager	Symantec_veritas	4.5_fp3 (including)	4.5_fp3 (including)
Netbackup_global_data_manager	Symantec_veritas	4.5_mp1 (including)	4.5_mp1 (including)
Netbackup_global_data_manager	Symantec_veritas	4.5_mp2 (including)	4.5_mp2 (including)
Netbackup_global_data_manager	Symantec_veritas	4.5_mp3 (including)	4.5_mp3 (including)
Red Hat Enterprise Linux AS (Advanced Server) version 2.1	RedHat		*
Red Hat Linux 7.0	RedHat		*
Red Hat Linux 7.1	RedHat		*
Red Hat Linux 7.1	RedHat		*
Red Hat Linux 7.2	RedHat		*
Red Hat Linux 7.3	RedHat		*
Red Hat Linux 8.0	RedHat		*
Red Hat Linux Advanced Workstation 2.1	RedHat		*

References

http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000555
http://marc.info/?l=bugtraq\u0026m=103971644013961\u0026w=2
http://marc.info/?l=bugtraq\u0026m=104004857201968\u0026w=2
http://marc.info/?l=bugtraq\u0026m=104005886114500\u0026w=2
http://security.e-matters.de/advisories/042002.html
http://www.debian.org/security/2002/dsa-212
http://www.linuxsecurity.com/advisories/engarde_advisory-2660.html
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:087
http://www.novell.com/linux/security/advisories/2003_003_mysql.html
http://www.redhat.com/support/errata/RHSA-2002-288.html
http://www.redhat.com/support/errata/RHSA-2002-289.html
http://www.redhat.com/support/errata/RHSA-2003-166.html
http://www.securityfocus.com/advisories/5269
http://www.securityfocus.com/bid/6373
http://www.trustix.net/errata/misc/2002/TSL-2002-0086-mysql.asc.txt
https://exchange.xforce.ibmcloud.com/vulnerabilities/10847

NVD	https://nvd.nist.gov/vuln/detail/CVE-2002-1374
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html