CVE-2016-6225

MEDIUM

Percona XtraBackup <2.3.6, 2.4.x <2.4.5 - Info Disclosure

Title source: llm
STIX 2.1

Description

xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before 2.4.5 does not properly set the initialization vector (IV) for encryption, which makes it easier for context-dependent attackers to obtain sensitive information from encrypted backup files via a Chosen-Plaintext attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6394.

References (8)

Core 8
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/percona/percona-xtrabackup/pull/267
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2017-01/msg00126.html
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2017-01/msg00125.html
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugs.launchpad.net/percona-xtrabackup/+bug/1643949
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/percona/percona-xtrabackup/pull/266

Scores

CVSS v3 5.9
EPSS 0.0033
EPSS Percentile 56.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-326
Status published
Products (10)
fedoraproject/fedora 24
fedoraproject/fedora 25
opensuse/leap 42.1
opensuse/leap 42.2
percona/xtrabackup 2.4.0 rc1
percona/xtrabackup 2.4.1
percona/xtrabackup 2.4.2
percona/xtrabackup 2.4.3
percona/xtrabackup 2.4.4
percona/xtrabackup < 2.3.5
Published Mar 23, 2017
Tracked Since Feb 18, 2026