CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-25834 – Ubuntu Security Notice USN-6745-1
https://notcve.org/view.php?id=CVE-2022-25834
07 Jun 2023 — In Percona XtraBackup (PXB) through 2.2.24 and 3.x through 8.0.27-19, a crafted filename on the local file system could trigger unexpected command shell execution of arbitrary commands. Multiple vulnerabilities have been discovered in Percona XtraBackup, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 8.0.29.22 are affected. • https://docs.percona.com/percona-xtrabackup/8.0/release-notes/8.0/8.0.32-26.0.html#improvements • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26944 – Gentoo Linux Security Advisory 202408-15
https://notcve.org/view.php?id=CVE-2022-26944
02 Jun 2022 — Percona XtraBackup 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. NOTE: this issue exists because of an incomplete fix for CVE-2020-10997. Percona XtraBackup versión 2.4.20, escribe involuntariamente la línea de comandos en cualquier archivo de copia de seguridad resultante. • https://docs.percona.com/percona-xtrabackup/2.4/release-notes/2.4/2.4.25.html •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-10997
https://notcve.org/view.php?id=CVE-2020-10997
27 Apr 2020 — Percona XtraBackup before 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. Percona XtraBackup versiones anteriores a la versión 2.4.20, escribe involuntariamente en la línea de comandos en cualquier salida de archivo de copia de seguridad resultante. Esto puede incluir argumentos confid... • https://jira.percona.com/browse/PXB-2142 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 1CVE-2015-1027
https://notcve.org/view.php?id=CVE-2015-1027
28 Sep 2017 — The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL. La subrutina de chequeo de versiones en percona-toolkit en versiones anteriores a la 2.... • https://bugs.launchpad.net/percona-toolkit/+bug/1408375 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 10EXPL: 0CVE-2016-6225
https://notcve.org/view.php?id=CVE-2016-6225
23 Mar 2017 — xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before 2.4.5 does not properly set the initialization vector (IV) for encryption, which makes it easier for context-dependent attackers to obtain sensitive information from encrypted backup files via a Chosen-Plaintext attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6394. xbcrypt en Percona XtraBackup en versiones anteriores a 2.3.6 y 2.4.x en versiones anteriores a 2.4.5 no establece apropiadamente el vector de inicializ... • http://lists.opensuse.org/opensuse-updates/2017-01/msg00125.html • CWE-326: Inadequate Encryption Strength •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2013-6394
https://notcve.org/view.php?id=CVE-2013-6394
13 Dec 2013 — Percona XtraBackup before 2.1.6 uses a constant string for the initialization vector (IV), which makes it easier for local users to defeat cryptographic protection mechanisms and conduct plaintext attacks. Percona XtraBackup anterior a 2.1.6 utiliza una cadena constante para el vector de inicialización (IV), que hace que sea más fácil para los usuarios locales vencer los mecanismos de protección de cifrado y llevar a cabo ataques de texto plano. • http://lists.opensuse.org/opensuse-updates/2013-12/msg00052.html • CWE-310: Cryptographic Issues •