CVE-2015-1027 — Sensitive Information Exposure in Percona-toolkit

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.3%

top 50.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Percona-toolkit Percona Toolkit Percona Xtrabackup

Timeline

PublishedSep 29

Latest updateMay 17

Description

The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/percona-toolkit< percona-toolkit 2.2.13-1 (bookworm)

▶NVDpercona/toolkit2.2.12

▶NVDpercona/xtrabackup2.2.8

🔴Vulnerability Details

GHSA

GHSA-6q75-456q-rjf2: The version checking subroutine in percona-toolkit before 2↗2022-05-17

▶

OSV

CVE-2015-1027: The version checking subroutine in percona-toolkit before 2↗2017-09-29

▶

📋Vendor Advisories

Debian

CVE-2015-1027: percona-toolkit - The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup ...↗2015

▶