5.9
CVE-2016-6225
- EPSS 1.12%
- Veröffentlicht 23.03.2017 16:59:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before 2.4.5 does not properly set the initialization vector (IV) for encryption, which makes it easier for context-dependent attackers to obtain sensitive information from encrypted backup files via a Chosen-Plaintext attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6394.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Percona ≫ Xtrabackup Version <= 2.3.5
Percona ≫ Xtrabackup Version2.4.0 Updaterc1
Percona ≫ Xtrabackup Version2.4.1
Percona ≫ Xtrabackup Version2.4.2
Percona ≫ Xtrabackup Version2.4.3
Percona ≫ Xtrabackup Version2.4.4
Fedoraproject ≫ Fedora Version24
Fedoraproject ≫ Fedora Version25
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.12% | 0.62 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.9 | 2.2 | 3.6 |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:P/I:N/A:N
|
CWE-326 Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
http://lists.opensuse.org/opensuse-updates/2017-01/msg00125.html
http://lists.opensuse.org/opensuse-updates/2017-01/msg00126.html
https://bugs.launchpad.net/percona-xtrabackup/+bug/1643949
https://github.com/percona/percona-xtrabackup/pull/266
https://github.com/percona/percona-xtrabackup/pull/267
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAHI6ETS22FJCMLW7A6SICFKQXF5G2VI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBVCP6KLFVGG6HSGLHLTMZRD6C4IJSZP/
https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly/