cvelistv5 - CVE-2015-1027

CVE-2015-1027 (GCVE-0-2015-1027)

Vulnerability from cvelistv5 – Published: 2017-09-28 19:00 – Updated: 2024-08-06 04:33

Summary

The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

OPENSUSE-SU-2024:10120-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

xtrabackup-2.3.5-1.3 on GA media

Notes

Title of the patch

xtrabackup-2.3.5-1.3 on GA media

Description of the patch

These are all security issues fixed in the xtrabackup-2.3.5-1.3 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-10120

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "xtrabackup-2.3.5-1.3 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the xtrabackup-2.3.5-1.3 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-10120",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10120-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2013-6394 page",
        "url": "https://www.suse.com/security/cve/CVE-2013-6394/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2014-2029 page",
        "url": "https://www.suse.com/security/cve/CVE-2014-2029/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2015-1027 page",
        "url": "https://www.suse.com/security/cve/CVE-2015-1027/"
      }
    ],
    "title": "xtrabackup-2.3.5-1.3 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:10120-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xtrabackup-2.3.5-1.3.aarch64",
                "product": {
                  "name": "xtrabackup-2.3.5-1.3.aarch64",
                  "product_id": "xtrabackup-2.3.5-1.3.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "xtrabackup-test-2.3.5-1.3.aarch64",
                "product": {
                  "name": "xtrabackup-test-2.3.5-1.3.aarch64",
                  "product_id": "xtrabackup-test-2.3.5-1.3.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xtrabackup-2.3.5-1.3.ppc64le",
                "product": {
                  "name": "xtrabackup-2.3.5-1.3.ppc64le",
                  "product_id": "xtrabackup-2.3.5-1.3.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "xtrabackup-test-2.3.5-1.3.ppc64le",
                "product": {
                  "name": "xtrabackup-test-2.3.5-1.3.ppc64le",
                  "product_id": "xtrabackup-test-2.3.5-1.3.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xtrabackup-2.3.5-1.3.s390x",
                "product": {
                  "name": "xtrabackup-2.3.5-1.3.s390x",
                  "product_id": "xtrabackup-2.3.5-1.3.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "xtrabackup-test-2.3.5-1.3.s390x",
                "product": {
                  "name": "xtrabackup-test-2.3.5-1.3.s390x",
                  "product_id": "xtrabackup-test-2.3.5-1.3.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xtrabackup-2.3.5-1.3.x86_64",
                "product": {
                  "name": "xtrabackup-2.3.5-1.3.x86_64",
                  "product_id": "xtrabackup-2.3.5-1.3.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "xtrabackup-test-2.3.5-1.3.x86_64",
                "product": {
                  "name": "xtrabackup-test-2.3.5-1.3.x86_64",
                  "product_id": "xtrabackup-test-2.3.5-1.3.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xtrabackup-2.3.5-1.3.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64"
        },
        "product_reference": "xtrabackup-2.3.5-1.3.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xtrabackup-2.3.5-1.3.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le"
        },
        "product_reference": "xtrabackup-2.3.5-1.3.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xtrabackup-2.3.5-1.3.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x"
        },
        "product_reference": "xtrabackup-2.3.5-1.3.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xtrabackup-2.3.5-1.3.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64"
        },
        "product_reference": "xtrabackup-2.3.5-1.3.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xtrabackup-test-2.3.5-1.3.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64"
        },
        "product_reference": "xtrabackup-test-2.3.5-1.3.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xtrabackup-test-2.3.5-1.3.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le"
        },
        "product_reference": "xtrabackup-test-2.3.5-1.3.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xtrabackup-test-2.3.5-1.3.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x"
        },
        "product_reference": "xtrabackup-test-2.3.5-1.3.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xtrabackup-test-2.3.5-1.3.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
        },
        "product_reference": "xtrabackup-test-2.3.5-1.3.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2013-6394",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2013-6394"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Percona XtraBackup before 2.1.6 uses a constant string for the initialization vector (IV), which makes it easier for local users to defeat cryptographic protection mechanisms and conduct plaintext attacks.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
          "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
          "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
          "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
          "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
          "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
          "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
          "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2013-6394",
          "url": "https://www.suse.com/security/cve/CVE-2013-6394"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1019858 for CVE-2013-6394",
          "url": "https://bugzilla.suse.com/1019858"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 852224 for CVE-2013-6394",
          "url": "https://bugzilla.suse.com/852224"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 860488 for CVE-2013-6394",
          "url": "https://bugzilla.suse.com/860488"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2013-6394"
    },
    {
      "cve": "CVE-2014-2029",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2014-2029"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The automatic version check functionality in the tools in Percona Toolkit 2.1 allows man-in-the-middle attackers to obtain sensitive information or execute arbitrary code by leveraging use of HTTP to download configuration information from v.percona.com.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
          "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
          "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
          "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
          "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
          "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
          "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
          "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2014-2029",
          "url": "https://www.suse.com/security/cve/CVE-2014-2029"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 864194 for CVE-2014-2029",
          "url": "https://bugzilla.suse.com/864194"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 919298 for CVE-2014-2029",
          "url": "https://bugzilla.suse.com/919298"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2014-2029"
    },
    {
      "cve": "CVE-2015-1027",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2015-1027"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
          "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
          "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
          "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
          "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
          "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
          "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
          "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2015-1027",
          "url": "https://www.suse.com/security/cve/CVE-2015-1027"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 919298 for CVE-2015-1027",
          "url": "https://bugzilla.suse.com/919298"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.aarch64",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.ppc64le",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.s390x",
            "openSUSE Tumbleweed:xtrabackup-2.3.5-1.3.x86_64",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.aarch64",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.ppc64le",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.s390x",
            "openSUSE Tumbleweed:xtrabackup-test-2.3.5-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2015-1027"
    }
  ]
}

OPENSUSE-SU-2024:10095-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

percona-toolkit-2.2.18-1.1 on GA media

Notes

Title of the patch

percona-toolkit-2.2.18-1.1 on GA media

Description of the patch

These are all security issues fixed in the percona-toolkit-2.2.18-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-10095

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "percona-toolkit-2.2.18-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the percona-toolkit-2.2.18-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-10095",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10095-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2014-2029 page",
        "url": "https://www.suse.com/security/cve/CVE-2014-2029/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2015-1027 page",
        "url": "https://www.suse.com/security/cve/CVE-2015-1027/"
      }
    ],
    "title": "percona-toolkit-2.2.18-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:10095-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "percona-toolkit-2.2.18-1.1.aarch64",
                "product": {
                  "name": "percona-toolkit-2.2.18-1.1.aarch64",
                  "product_id": "percona-toolkit-2.2.18-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "percona-toolkit-2.2.18-1.1.ppc64le",
                "product": {
                  "name": "percona-toolkit-2.2.18-1.1.ppc64le",
                  "product_id": "percona-toolkit-2.2.18-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "percona-toolkit-2.2.18-1.1.s390x",
                "product": {
                  "name": "percona-toolkit-2.2.18-1.1.s390x",
                  "product_id": "percona-toolkit-2.2.18-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "percona-toolkit-2.2.18-1.1.x86_64",
                "product": {
                  "name": "percona-toolkit-2.2.18-1.1.x86_64",
                  "product_id": "percona-toolkit-2.2.18-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "percona-toolkit-2.2.18-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64"
        },
        "product_reference": "percona-toolkit-2.2.18-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "percona-toolkit-2.2.18-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le"
        },
        "product_reference": "percona-toolkit-2.2.18-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "percona-toolkit-2.2.18-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x"
        },
        "product_reference": "percona-toolkit-2.2.18-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "percona-toolkit-2.2.18-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
        },
        "product_reference": "percona-toolkit-2.2.18-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2014-2029",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2014-2029"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The automatic version check functionality in the tools in Percona Toolkit 2.1 allows man-in-the-middle attackers to obtain sensitive information or execute arbitrary code by leveraging use of HTTP to download configuration information from v.percona.com.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64",
          "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le",
          "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x",
          "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2014-2029",
          "url": "https://www.suse.com/security/cve/CVE-2014-2029"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 864194 for CVE-2014-2029",
          "url": "https://bugzilla.suse.com/864194"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 919298 for CVE-2014-2029",
          "url": "https://bugzilla.suse.com/919298"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64",
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le",
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x",
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64",
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le",
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x",
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2014-2029"
    },
    {
      "cve": "CVE-2015-1027",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2015-1027"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64",
          "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le",
          "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x",
          "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2015-1027",
          "url": "https://www.suse.com/security/cve/CVE-2015-1027"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 919298 for CVE-2015-1027",
          "url": "https://bugzilla.suse.com/919298"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64",
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le",
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x",
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.aarch64",
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.ppc64le",
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.s390x",
            "openSUSE Tumbleweed:percona-toolkit-2.2.18-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2015-1027"
    }
  ]
}

GSD-2015-1027

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2015-1027

Aliases

CVE-2015-1027

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2015-1027",
    "description": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.",
    "id": "GSD-2015-1027",
    "references": [
      "https://www.suse.com/security/cve/CVE-2015-1027.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2015-1027"
      ],
      "details": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.",
      "id": "GSD-2015-1027",
      "modified": "2023-12-13T01:20:05.797634Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2015-1027",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375",
            "refsource": "CONFIRM",
            "url": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375"
          },
          {
            "name": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/",
            "refsource": "CONFIRM",
            "url": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:percona:xtrabackup:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.2.8",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:percona:toolkit:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.2.12",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-1027"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/"
            },
            {
              "name": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2017-10-10T11:56Z",
      "publishedDate": "2017-09-29T01:34Z"
    }
  }
}

GHSA-6Q75-456Q-RJF2

Vulnerability from github – Published: 2022-05-17 00:34 – Updated: 2025-04-20 03:46

Details

Severity ?

5.9 (Medium)


                  
                    CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2015-1027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-29T01:34:00Z",
    "severity": "MODERATE"
  },
  "details": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.",
  "id": "GHSA-6q75-456q-rjf2",
  "modified": "2025-04-20T03:46:00Z",
  "published": "2022-05-17T00:34:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1027"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375"
    },
    {
      "type": "WEB",
      "url": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2015-1027

Vulnerability from fkie_nvd - Published: 2017-09-29 01:34 - Updated: 2025-04-20 01:37

Severity ?

5.9 (Medium) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
cve@mitre.org	https://bugs.launchpad.net/percona-toolkit/+bug/1408375	Issue Tracking, Third Party Advisory
cve@mitre.org	https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/	Exploit, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugs.launchpad.net/percona-toolkit/+bug/1408375	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	percona	toolkit	*
	percona	xtrabackup	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:percona:toolkit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "75B5EE03-4299-4C10-94BC-81A09FBFBB98",
              "versionEndIncluding": "2.2.12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:percona:xtrabackup:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "621D642F-7ED5-490E-9B02-E0CB62570E2D",
              "versionEndIncluding": "2.2.8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL."
    },
    {
      "lang": "es",
      "value": "La subrutina de chequeo de versiones en percona-toolkit en versiones anteriores a la 2.2.13 y xtrabackup en versiones anteriores a la 2.2.9 era vulnerable a ataques silenciosos de degradaci\u00f3n HTTP y Man-in-the-Middle (MitM) en los que la respuesta del servidor se podr\u00eda modificar para que permita que el atacante responda con una carga \u00fatil de comandos modificada y fuerce a que el cliente devuelva informaci\u00f3n adicional de la configuraci\u00f3n que se est\u00e1 ejecutando, lo cual provocar\u00eda la revelaci\u00f3n de informaci\u00f3n de la configuraci\u00f3n actual de MySQL."
    }
  ],
  "id": "CVE-2015-1027",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-09-29T01:34:47.907",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2017-33524

Vulnerability from cnvd - Published: 2017-11-10

Title

Percona toolkit和xtrabackup信息泄露漏洞

Description

Percona percona-toolkit和xtrabackup都是美国Percona公司的产品。percona-toolkit是一套高级命令行工具。xtrabackup是一套开源的用来备份MySQL的InnoDB数据库的工具。version checking subroutine是其中的一个版本检查子程序。 Percona percona-toolkit 2.2.13之前的版本和xtrabackup 2.2.9之前的版本中的version checking subroutine存在安全漏洞。攻击者可利用该漏洞获取MySQL正在运行的配置。

Severity

中

Patch Name

Percona toolkit和xtrabackup信息泄露漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/

Reference

https://bugs.launchpad.net/percona-toolkit/+bug/1408375

Impacted products

Name
['Percona toolkit <2.2.13', 'Percona xtrabackup <2.2.9']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-1027"
    }
  },
  "description": "Percona percona-toolkit\u548cxtrabackup\u90fd\u662f\u7f8e\u56fdPercona\u516c\u53f8\u7684\u4ea7\u54c1\u3002percona-toolkit\u662f\u4e00\u5957\u9ad8\u7ea7\u547d\u4ee4\u884c\u5de5\u5177\u3002xtrabackup\u662f\u4e00\u5957\u5f00\u6e90\u7684\u7528\u6765\u5907\u4efdMySQL\u7684InnoDB\u6570\u636e\u5e93\u7684\u5de5\u5177\u3002version checking subroutine\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7248\u672c\u68c0\u67e5\u5b50\u7a0b\u5e8f\u3002\r\n\r\nPercona percona-toolkit 2.2.13\u4e4b\u524d\u7684\u7248\u672c\u548cxtrabackup 2.2.9\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u7684version checking subroutine\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6MySQL\u6b63\u5728\u8fd0\u884c\u7684\u914d\u7f6e\u3002",
  "discovererName": "unknown",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-33524",
  "openTime": "2017-11-10",
  "patchDescription": "Percona percona-toolkit\u548cxtrabackup\u90fd\u662f\u7f8e\u56fdPercona\u516c\u53f8\u7684\u4ea7\u54c1\u3002percona-toolkit\u662f\u4e00\u5957\u9ad8\u7ea7\u547d\u4ee4\u884c\u5de5\u5177\u3002xtrabackup\u662f\u4e00\u5957\u5f00\u6e90\u7684\u7528\u6765\u5907\u4efdMySQL\u7684InnoDB\u6570\u636e\u5e93\u7684\u5de5\u5177\u3002version checking subroutine\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7248\u672c\u68c0\u67e5\u5b50\u7a0b\u5e8f\u3002\r\n\r\nPercona percona-toolkit 2.2.13\u4e4b\u524d\u7684\u7248\u672c\u548cxtrabackup 2.2.9\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u7684version checking subroutine\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6MySQL\u6b63\u5728\u8fd0\u884c\u7684\u914d\u7f6e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Percona toolkit\u548cxtrabackup\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Percona toolkit \u003c2.2.13",
      "Percona xtrabackup \u003c2.2.9"
    ]
  },
  "referenceLink": "https://bugs.launchpad.net/percona-toolkit/+bug/1408375",
  "serverity": "\u4e2d",
  "submitTime": "2017-10-10",
  "title": "Percona toolkit\u548cxtrabackup\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2015-1027 (GCVE-0-2015-1027)

OPENSUSE-SU-2024:10120-1

OPENSUSE-SU-2024:10095-1

GSD-2015-1027

GHSA-6Q75-456Q-RJF2

FKIE_CVE-2015-1027

CNVD-2017-33524

Tags

Sightings

Nomenclature