The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x before 4.0.6, allows remote attackers to gain privileges via a brute force attack using a one-character password, which causes MySQL to only compare the provided password against the first character of the real password.
2002-12-23T05:00:00.000
2025-04-03T01:03:51.193
Deferred
CVSSv2: 7.5 (HIGH)
AV:N/AC:L/Au:N/C:P/I:P/A:P
10.0
6.4
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | oracle | mysql | 3.22.26 | Yes |
| Application | oracle | mysql | 3.22.27 | Yes |
| Application | oracle | mysql | 3.22.28 | Yes |
| Application | oracle | mysql | 3.22.29 | Yes |
| Application | oracle | mysql | 3.22.30 | Yes |
| Application | oracle | mysql | 3.22.32 | Yes |
| Application | oracle | mysql | 3.23.2 | Yes |
| Application | oracle | mysql | 3.23.3 | Yes |
| Application | oracle | mysql | 3.23.4 | Yes |
| Application | oracle | mysql | 3.23.5 | Yes |
| Application | oracle | mysql | 3.23.8 | Yes |
| Application | oracle | mysql | 3.23.9 | Yes |
| Application | oracle | mysql | 3.23.10 | Yes |
| Application | oracle | mysql | 3.23.23 | Yes |
| Application | oracle | mysql | 3.23.24 | Yes |
| Application | oracle | mysql | 3.23.25 | Yes |
| Application | oracle | mysql | 3.23.26 | Yes |
| Application | oracle | mysql | 3.23.27 | Yes |
| Application | oracle | mysql | 3.23.28 | Yes |
| Application | oracle | mysql | 3.23.29 | Yes |
| Application | oracle | mysql | 3.23.30 | Yes |
| Application | oracle | mysql | 3.23.31 | Yes |
| Application | oracle | mysql | 3.23.34 | Yes |
| Application | oracle | mysql | 3.23.36 | Yes |
| Application | oracle | mysql | 3.23.37 | Yes |
| Application | oracle | mysql | 3.23.38 | Yes |
| Application | oracle | mysql | 3.23.39 | Yes |
| Application | oracle | mysql | 3.23.40 | Yes |
| Application | oracle | mysql | 3.23.41 | Yes |
| Application | oracle | mysql | 3.23.42 | Yes |
| Application | oracle | mysql | 3.23.43 | Yes |
| Application | oracle | mysql | 3.23.44 | Yes |
| Application | oracle | mysql | 3.23.45 | Yes |
| Application | oracle | mysql | 3.23.46 | Yes |
| Application | oracle | mysql | 3.23.47 | Yes |
| Application | oracle | mysql | 3.23.48 | Yes |
| Application | oracle | mysql | 3.23.49 | Yes |
| Application | oracle | mysql | 3.23.50 | Yes |
| Application | oracle | mysql | 3.23.51 | Yes |
| Application | oracle | mysql | 3.23.52 | Yes |
| Application | oracle | mysql | 3.23.53 | Yes |
| Application | oracle | mysql | 3.23.53a | Yes |
| Application | oracle | mysql | 4.0.0 | Yes |
| Application | oracle | mysql | 4.0.1 | Yes |
| Application | oracle | mysql | 4.0.2 | Yes |
| Application | oracle | mysql | 4.0.3 | Yes |
| Application | oracle | mysql | 4.0.5a | Yes |
| Application | symantec_veritas | netbackup_advanced_reporter | 3.4 | Yes |
| Application | symantec_veritas | netbackup_advanced_reporter | 4.5 | Yes |
| Application | symantec_veritas | netbackup_advanced_reporter | 4.5_fp1 | Yes |
| Application | symantec_veritas | netbackup_advanced_reporter | 4.5_fp2 | Yes |
| Application | symantec_veritas | netbackup_advanced_reporter | 4.5_fp3 | Yes |
| Application | symantec_veritas | netbackup_advanced_reporter | 4.5_mp1 | Yes |
| Application | symantec_veritas | netbackup_advanced_reporter | 4.5_mp2 | Yes |
| Application | symantec_veritas | netbackup_advanced_reporter | 4.5_mp3 | Yes |
| Application | symantec_veritas | netbackup_global_data_manager | 4.5 | Yes |
| Application | symantec_veritas | netbackup_global_data_manager | 4.5_fp1 | Yes |
| Application | symantec_veritas | netbackup_global_data_manager | 4.5_fp2 | Yes |
| Application | symantec_veritas | netbackup_global_data_manager | 4.5_fp3 | Yes |
| Application | symantec_veritas | netbackup_global_data_manager | 4.5_mp1 | Yes |
| Application | symantec_veritas | netbackup_global_data_manager | 4.5_mp2 | Yes |
| Application | symantec_veritas | netbackup_global_data_manager | 4.5_mp3 | Yes |