Bug 1170644 - (CVE-2020-10997) VUL-1: CVE-2020-10997: xtrabackup: information exposure via cmd line output and table history
(CVE-2020-10997)
VUL-1: CVE-2020-10997: xtrabackup: information exposure via cmd line output a...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/258496/
CVSSv3.1:SUSE:CVE-2020-10997:4.0:(AV...
:
Depends on: CVE-2022-26944 CVE-2020-29488
Blocks:
  Show dependency treegraph
 
Reported: 2020-04-28 06:19 UTC by Wolfgang Frisch
Modified: 2022-11-23 14:43 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-04-28 06:19:05 UTC
CVE-2020-10997

Percona XtraBackup before 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1828442
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10997
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10997
https://www.percona.com/blog/2020/04/16/cve-2020-10997-percona-xtrabackup-information-disclosure-of-command-line-arguments/
https://jira.percona.com/browse/PXB-2142
Comment 2 OBSbugzilla Bot 2022-11-20 13:35:05 UTC
This is an autogenerated message for OBS integration:
This bug (1170644) was mentioned in
https://build.opensuse.org/request/show/1036938 Backports:SLE-15-SP3+Backports:SLE-15-SP4 / xtrabackup
Comment 3 OBSbugzilla Bot 2022-11-20 15:35:05 UTC
This is an autogenerated message for OBS integration:
This bug (1170644) was mentioned in
https://build.opensuse.org/request/show/1036940 Backports:SLE-15-SP4 / xtrabackup
Comment 4 Andreas Stieger 2022-11-21 12:20:28 UTC
Submitted for openSUSE:Backports:SLE-15-SP4:Update, pending licensedigger review. Please check where this is stuck.

xtrabackup was dropped from openSUSE:Backports:SLE-15-SP5 (SR#1036945)
Comment 5 Swamp Workflow Management 2022-11-23 14:23:51 UTC
openSUSE-SU-2022:10212-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1125418,1135095,1170644,1205581
CVE References: CVE-2020-10997,CVE-2020-29488
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    xtrabackup-2.4.26-bp154.2.3.1
Comment 6 Andreas Stieger 2022-11-23 14:43:22 UTC
Fixed in 15.4. Not fixing for 15.3. Dropped from next. Closing.