CVE-2022-25834 — Command Injection in Xtrabackup

CWE-77 — Command Injection4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 53.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Percona Xtrabackup

Timeline

PublishedJun 7

Latest updateApr 22

Description

In Percona XtraBackup (PXB) through 2.2.24 and 3.x through 8.0.27-19, a crafted filename on the local file system could trigger unexpected command shell execution of arbitrary commands.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

▶NVDpercona/xtrabackup3.0 — 8.0.27-19+1

🔴Vulnerability Details

OSV

CVE-2022-25834: In Percona XtraBackup (PXB) through 2↗2023-06-07

▶

GHSA

GHSA-hhfm-2xhw-4542: In Percona XtraBackup (PXB) through 2↗2023-06-07

▶

📋Vendor Advisories

Ubuntu

Percona XtraBackup vulnerability↗2024-04-22

▶