CVE-2016-6225 — Inadequate Encryption Strength in Xtrabackup

CWE-326 — Inadequate Encryption Strength7 documents5 sources

Severity

5.9MEDIUMNVD

OSV2.1

EPSS

0.3%

top 44.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Percona Xtrabackup Fedoraproject Fedora Opensuse Leap

Timeline

PublishedMar 23

Latest updateMay 14

Description

xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before 2.4.5 does not properly set the initialization vector (IV) for encryption, which makes it easier for context-dependent attackers to obtain sensitive information from encrypted backup files via a Chosen-Plaintext attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6394.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶NVDpercona/xtrabackup2.3.5+5

▶NVDopensuse/leap42.1, 42.2+1

Also affects: Fedora 24, 25

Patches

Patch: bugs.launchpad.net ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-qgjv-rwc2-2rr2: xbcrypt in Percona XtraBackup before 2↗2022-05-14

▶

OSV

CVE-2016-6225: xbcrypt in Percona XtraBackup before 2↗2017-03-23

▶

💥Exploits & PoCs

Exploit-DB

iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free↗2019-01-25

▶

💬Community

Bugzilla

CVE-2016-6225 percona-xtrabackup: Encryption IV not being set properly [epel-7]↗2017-01-13

▶

Bugzilla

CVE-2016-6225 percona-xtrabackup: Encryption IV not being set properly↗2017-01-13

▶

Bugzilla

CVE-2016-6225 percona-xtrabackup: Encryption IV not being set properly [fedora-all]↗2017-01-13

▶