Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2015-1027 (GCVE-0-2015-1027)
Vulnerability from cvelistv5 – Published: 2017-09-28 19:00 – Updated: 2024-08-06 04:33
VLAI
EPSS
Summary
The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.
Severity
5.9 (Medium)
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://bugs.launchpad.net/percona-toolkit/+bug/1408375 | x_refsource_CONFIRM |
| https://www.percona.com/blog/2015/05/06/percona-s… | x_refsource_CONFIRM |
Date Public
2015-05-06 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:33:19.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T18:57:02.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1027",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375",
"refsource": "CONFIRM",
"url": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375"
},
{
"name": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/",
"refsource": "CONFIRM",
"url": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-1027",
"datePublished": "2017-09-28T19:00:00.000Z",
"dateReserved": "2015-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T04:33:19.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2015-1027",
"date": "2026-06-03",
"epss": "0.00264",
"percentile": "0.50045"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2015-1027\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-09-29T01:34:47.907\",\"lastModified\":\"2026-05-13T00:24:29.033\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.\"},{\"lang\":\"es\",\"value\":\"La subrutina de chequeo de versiones en percona-toolkit en versiones anteriores a la 2.2.13 y xtrabackup en versiones anteriores a la 2.2.9 era vulnerable a ataques silenciosos de degradaci\u00f3n HTTP y Man-in-the-Middle (MitM) en los que la respuesta del servidor se podr\u00eda modificar para que permita que el atacante responda con una carga \u00fatil de comandos modificada y fuerce a que el cliente devuelva informaci\u00f3n adicional de la configuraci\u00f3n que se est\u00e1 ejecutando, lo cual provocar\u00eda la revelaci\u00f3n de informaci\u00f3n de la configuraci\u00f3n actual de MySQL.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:percona:toolkit:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.2.12\",\"matchCriteriaId\":\"75B5EE03-4299-4C10-94BC-81A09FBFBB98\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:percona:xtrabackup:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.2.8\",\"matchCriteriaId\":\"621D642F-7ED5-490E-9B02-E0CB62570E2D\"}]}]}],\"references\":[{\"url\":\"https://bugs.launchpad.net/percona-toolkit/+bug/1408375\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://bugs.launchpad.net/percona-toolkit/+bug/1408375\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}"
}
}
Title
Percona toolkit和xtrabackup信息泄露漏洞
Description
Percona percona-toolkit和xtrabackup都是美国Percona公司的产品。percona-toolkit是一套高级命令行工具。xtrabackup是一套开源的用来备份MySQL的InnoDB数据库的工具。version checking subroutine是其中的一个版本检查子程序。
Percona percona-toolkit 2.2.13之前的版本和xtrabackup 2.2.9之前的版本中的version checking subroutine存在安全漏洞。攻击者可利用该漏洞获取MySQL正在运行的配置。
Severity
中
Patch Name
Percona toolkit和xtrabackup信息泄露漏洞的补丁
Patch Description
Percona percona-toolkit和xtrabackup都是美国Percona公司的产品。percona-toolkit是一套高级命令行工具。xtrabackup是一套开源的用来备份MySQL的InnoDB数据库的工具。version checking subroutine是其中的一个版本检查子程序。
Percona percona-toolkit 2.2.13之前的版本和xtrabackup 2.2.9之前的版本中的version checking subroutine存在安全漏洞。攻击者可利用该漏洞获取MySQL正在运行的配置。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/
Reference
https://bugs.launchpad.net/percona-toolkit/+bug/1408375
Impacted products
| Name | ['Percona toolkit <2.2.13', 'Percona xtrabackup <2.2.9'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2015-1027"
}
},
"description": "Percona percona-toolkit\u548cxtrabackup\u90fd\u662f\u7f8e\u56fdPercona\u516c\u53f8\u7684\u4ea7\u54c1\u3002percona-toolkit\u662f\u4e00\u5957\u9ad8\u7ea7\u547d\u4ee4\u884c\u5de5\u5177\u3002xtrabackup\u662f\u4e00\u5957\u5f00\u6e90\u7684\u7528\u6765\u5907\u4efdMySQL\u7684InnoDB\u6570\u636e\u5e93\u7684\u5de5\u5177\u3002version checking subroutine\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7248\u672c\u68c0\u67e5\u5b50\u7a0b\u5e8f\u3002\r\n\r\nPercona percona-toolkit 2.2.13\u4e4b\u524d\u7684\u7248\u672c\u548cxtrabackup 2.2.9\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u7684version checking subroutine\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6MySQL\u6b63\u5728\u8fd0\u884c\u7684\u914d\u7f6e\u3002",
"discovererName": "unknown",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2017-33524",
"openTime": "2017-11-10",
"patchDescription": "Percona percona-toolkit\u548cxtrabackup\u90fd\u662f\u7f8e\u56fdPercona\u516c\u53f8\u7684\u4ea7\u54c1\u3002percona-toolkit\u662f\u4e00\u5957\u9ad8\u7ea7\u547d\u4ee4\u884c\u5de5\u5177\u3002xtrabackup\u662f\u4e00\u5957\u5f00\u6e90\u7684\u7528\u6765\u5907\u4efdMySQL\u7684InnoDB\u6570\u636e\u5e93\u7684\u5de5\u5177\u3002version checking subroutine\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7248\u672c\u68c0\u67e5\u5b50\u7a0b\u5e8f\u3002\r\n\r\nPercona percona-toolkit 2.2.13\u4e4b\u524d\u7684\u7248\u672c\u548cxtrabackup 2.2.9\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u7684version checking subroutine\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6MySQL\u6b63\u5728\u8fd0\u884c\u7684\u914d\u7f6e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Percona toolkit\u548cxtrabackup\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Percona toolkit \u003c2.2.13",
"Percona xtrabackup \u003c2.2.9"
]
},
"referenceLink": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375",
"serverity": "\u4e2d",
"submitTime": "2017-10-10",
"title": "Percona toolkit\u548cxtrabackup\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}
FKIE_CVE-2015-1027
Vulnerability from fkie_nvd - Published: 2017-09-29 01:34 - Updated: 2026-05-13 00:24
Severity
Summary
The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://bugs.launchpad.net/percona-toolkit/+bug/1408375 | Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/ | Exploit, Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.launchpad.net/percona-toolkit/+bug/1408375 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/ | Exploit, Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| percona | toolkit | * | |
| percona | xtrabackup | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:percona:toolkit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "75B5EE03-4299-4C10-94BC-81A09FBFBB98",
"versionEndIncluding": "2.2.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:percona:xtrabackup:*:*:*:*:*:*:*:*",
"matchCriteriaId": "621D642F-7ED5-490E-9B02-E0CB62570E2D",
"versionEndIncluding": "2.2.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL."
},
{
"lang": "es",
"value": "La subrutina de chequeo de versiones en percona-toolkit en versiones anteriores a la 2.2.13 y xtrabackup en versiones anteriores a la 2.2.9 era vulnerable a ataques silenciosos de degradaci\u00f3n HTTP y Man-in-the-Middle (MitM) en los que la respuesta del servidor se podr\u00eda modificar para que permita que el atacante responda con una carga \u00fatil de comandos modificada y fuerce a que el cliente devuelva informaci\u00f3n adicional de la configuraci\u00f3n que se est\u00e1 ejecutando, lo cual provocar\u00eda la revelaci\u00f3n de informaci\u00f3n de la configuraci\u00f3n actual de MySQL."
}
],
"id": "CVE-2015-1027",
"lastModified": "2026-05-13T00:24:29.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-29T01:34:47.907",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-6Q75-456Q-RJF2
Vulnerability from github – Published: 2022-05-17 00:34 – Updated: 2025-04-20 03:46
VLAI
Details
The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.
Severity
5.9 (Medium)
{
"affected": [],
"aliases": [
"CVE-2015-1027"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-29T01:34:00Z",
"severity": "MODERATE"
},
"details": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.",
"id": "GHSA-6q75-456q-rjf2",
"modified": "2025-04-20T03:46:00Z",
"published": "2022-05-17T00:34:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1027"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375"
},
{
"type": "WEB",
"url": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GSD-2015-1027
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-1027",
"description": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.",
"id": "GSD-2015-1027",
"references": [
"https://www.suse.com/security/cve/CVE-2015-1027.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2015-1027"
],
"details": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.",
"id": "GSD-2015-1027",
"modified": "2023-12-13T01:20:05.797634Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1027",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375",
"refsource": "CONFIRM",
"url": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375"
},
{
"name": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/",
"refsource": "CONFIRM",
"url": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:percona:xtrabackup:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.2.8",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:percona:toolkit:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.2.12",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1027"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/"
},
{
"name": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6
}
},
"lastModifiedDate": "2017-10-10T11:56Z",
"publishedDate": "2017-09-29T01:34Z"
}
}
}
OPENSUSE-SU-2024:10095-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
percona-toolkit-2.2.18-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: percona-toolkit-2.2.18-1.1 on GA media
Description of the patch: These are all security issues fixed in the percona-toolkit-2.2.18-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-10095
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "percona-toolkit-2.2.18-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the percona-toolkit-2.2.18-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-10095",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10095-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-2029 page",
"url": "https://www.suse.com/security/cve/CVE-2014-2029/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-1027 page",
"url": "https://www.suse.com/security/cve/CVE-2015-1027/"
}
],
"title": "percona-toolkit-2.2.18-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:10095-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "percona-toolkit-2.2.18-1.1.aarch64",
"product": {
"name": "percona-toolkit-2.2.18-1.1.aarch64",
"product_id": "percona-toolkit-2.2.18-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "percona-toolkit-2.2.18-1.1.ppc64le",
"product": {
"name": "percona-toolkit-2.2.18-1.1.ppc64le",
"product_id": "percona-toolkit-2.2.18-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "percona-toolkit-2.2.18-1.1.s390x",
"product": {
"name": "percona-toolkit-2.2.18-1.1.s390x",
"product_id": "percona-toolkit-2.2.18-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "percona-toolkit-2.2.18-1.1.x86_64",
"product": {
"name": "percona-toolkit-2.2.18-1.1.x86_64",
"product_id": "percona-toolkit-2.2.18-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "percona-toolkit-2.2.18-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64"
},
"product_reference": "percona-toolkit-2.2.18-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "percona-toolkit-2.2.18-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le"
},
"product_reference": "percona-toolkit-2.2.18-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "percona-toolkit-2.2.18-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x"
},
"product_reference": "percona-toolkit-2.2.18-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "percona-toolkit-2.2.18-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
},
"product_reference": "percona-toolkit-2.2.18-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-2029",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-2029"
}
],
"notes": [
{
"category": "general",
"text": "The automatic version check functionality in the tools in Percona Toolkit 2.1 allows man-in-the-middle attackers to obtain sensitive information or execute arbitrary code by leveraging use of HTTP to download configuration information from v.percona.com.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-2029",
"url": "https://www.suse.com/security/cve/CVE-2014-2029"
},
{
"category": "external",
"summary": "SUSE Bug 864194 for CVE-2014-2029",
"url": "https://bugzilla.suse.com/864194"
},
{
"category": "external",
"summary": "SUSE Bug 919298 for CVE-2014-2029",
"url": "https://bugzilla.suse.com/919298"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2014-2029"
},
{
"cve": "CVE-2015-1027",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-1027"
}
],
"notes": [
{
"category": "general",
"text": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-1027",
"url": "https://www.suse.com/security/cve/CVE-2015-1027"
},
{
"category": "external",
"summary": "SUSE Bug 919298 for CVE-2015-1027",
"url": "https://bugzilla.suse.com/919298"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x",
"openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-1027"
}
]
}
OPENSUSE-SU-2024:10120-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
xtrabackup-2.3.5-1.3 on GA media
Severity
Moderate
Notes
Title of the patch: xtrabackup-2.3.5-1.3 on GA media
Description of the patch: These are all security issues fixed in the xtrabackup-2.3.5-1.3 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-10120
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
8.1 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
14 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "xtrabackup-2.3.5-1.3 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the xtrabackup-2.3.5-1.3 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-10120",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10120-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2013-6394 page",
"url": "https://www.suse.com/security/cve/CVE-2013-6394/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-2029 page",
"url": "https://www.suse.com/security/cve/CVE-2014-2029/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-1027 page",
"url": "https://www.suse.com/security/cve/CVE-2015-1027/"
}
],
"title": "xtrabackup-2.3.5-1.3 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:10120-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "xtrabackup-2.3.5-1.3.aarch64",
"product": {
"name": "xtrabackup-2.3.5-1.3.aarch64",
"product_id": "xtrabackup-2.3.5-1.3.aarch64"
}
},
{
"category": "product_version",
"name": "xtrabackup-test-2.3.5-1.3.aarch64",
"product": {
"name": "xtrabackup-test-2.3.5-1.3.aarch64",
"product_id": "xtrabackup-test-2.3.5-1.3.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "xtrabackup-2.3.5-1.3.ppc64le",
"product": {
"name": "xtrabackup-2.3.5-1.3.ppc64le",
"product_id": "xtrabackup-2.3.5-1.3.ppc64le"
}
},
{
"category": "product_version",
"name": "xtrabackup-test-2.3.5-1.3.ppc64le",
"product": {
"name": "xtrabackup-test-2.3.5-1.3.ppc64le",
"product_id": "xtrabackup-test-2.3.5-1.3.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "xtrabackup-2.3.5-1.3.s390x",
"product": {
"name": "xtrabackup-2.3.5-1.3.s390x",
"product_id": "xtrabackup-2.3.5-1.3.s390x"
}
},
{
"category": "product_version",
"name": "xtrabackup-test-2.3.5-1.3.s390x",
"product": {
"name": "xtrabackup-test-2.3.5-1.3.s390x",
"product_id": "xtrabackup-test-2.3.5-1.3.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "xtrabackup-2.3.5-1.3.x86_64",
"product": {
"name": "xtrabackup-2.3.5-1.3.x86_64",
"product_id": "xtrabackup-2.3.5-1.3.x86_64"
}
},
{
"category": "product_version",
"name": "xtrabackup-test-2.3.5-1.3.x86_64",
"product": {
"name": "xtrabackup-test-2.3.5-1.3.x86_64",
"product_id": "xtrabackup-test-2.3.5-1.3.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "xtrabackup-2.3.5-1.3.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64"
},
"product_reference": "xtrabackup-2.3.5-1.3.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xtrabackup-2.3.5-1.3.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le"
},
"product_reference": "xtrabackup-2.3.5-1.3.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xtrabackup-2.3.5-1.3.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x"
},
"product_reference": "xtrabackup-2.3.5-1.3.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xtrabackup-2.3.5-1.3.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64"
},
"product_reference": "xtrabackup-2.3.5-1.3.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xtrabackup-test-2.3.5-1.3.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64"
},
"product_reference": "xtrabackup-test-2.3.5-1.3.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xtrabackup-test-2.3.5-1.3.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le"
},
"product_reference": "xtrabackup-test-2.3.5-1.3.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xtrabackup-test-2.3.5-1.3.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x"
},
"product_reference": "xtrabackup-test-2.3.5-1.3.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xtrabackup-test-2.3.5-1.3.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
},
"product_reference": "xtrabackup-test-2.3.5-1.3.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-6394",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2013-6394"
}
],
"notes": [
{
"category": "general",
"text": "Percona XtraBackup before 2.1.6 uses a constant string for the initialization vector (IV), which makes it easier for local users to defeat cryptographic protection mechanisms and conduct plaintext attacks.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2013-6394",
"url": "https://www.suse.com/security/cve/CVE-2013-6394"
},
{
"category": "external",
"summary": "SUSE Bug 1019858 for CVE-2013-6394",
"url": "https://bugzilla.suse.com/1019858"
},
{
"category": "external",
"summary": "SUSE Bug 852224 for CVE-2013-6394",
"url": "https://bugzilla.suse.com/852224"
},
{
"category": "external",
"summary": "SUSE Bug 860488 for CVE-2013-6394",
"url": "https://bugzilla.suse.com/860488"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2013-6394"
},
{
"cve": "CVE-2014-2029",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-2029"
}
],
"notes": [
{
"category": "general",
"text": "The automatic version check functionality in the tools in Percona Toolkit 2.1 allows man-in-the-middle attackers to obtain sensitive information or execute arbitrary code by leveraging use of HTTP to download configuration information from v.percona.com.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-2029",
"url": "https://www.suse.com/security/cve/CVE-2014-2029"
},
{
"category": "external",
"summary": "SUSE Bug 864194 for CVE-2014-2029",
"url": "https://bugzilla.suse.com/864194"
},
{
"category": "external",
"summary": "SUSE Bug 919298 for CVE-2014-2029",
"url": "https://bugzilla.suse.com/919298"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2014-2029"
},
{
"cve": "CVE-2015-1027",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-1027"
}
],
"notes": [
{
"category": "general",
"text": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-1027",
"url": "https://www.suse.com/security/cve/CVE-2015-1027"
},
{
"category": "external",
"summary": "SUSE Bug 919298 for CVE-2015-1027",
"url": "https://bugzilla.suse.com/919298"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
"openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-1027"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…