CVE-2020-10997 — Sensitive Information Exposure in Xtrabackup

CWE-200 — Sensitive Information Exposure CWE-20 — Improper Input Validation7 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 48.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Percona Xtrabackup

Timeline

PublishedApr 27

Latest updateJun 3

Description

Percona XtraBackup before 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶NVDpercona/xtrabackup2.4.11 — 2.4.20+2

🔴Vulnerability Details

GHSA

GHSA-pgxx-q2mh-j9jf: Percona XtraBackup 2↗2022-06-03

▶

GHSA

GHSA-p7x7-rwp6-7mfx: Percona XtraBackup before 2↗2022-05-24

▶

💬Community

Bugzilla

CVE-2020-10997 percona-xtrabackup: Information exposure via cmd line output and table history [fedora-all]↗2020-04-27

▶

Bugzilla

CVE-2020-10997 percona-xtrabackup: Information exposure via cmd line output and table history↗2020-04-27

▶

Bugzilla

CVE-2020-10997 percona-xtrabackup: Information exposure via cmd line output and table history [epel-7]↗2020-04-27

▶