First Last Prev Next    This bug is not in your last search results.
Bug 1200484 - (CVE-2022-26944) VUL-0: CVE-2022-26944: xtrabackup: Information exposure via cmd line output and table history into backup file
(CVE-2022-26944)
VUL-0: CVE-2022-26944: xtrabackup: Information exposure via cmd line output a...
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Cloud Bugs
Security Team bot
https://smash.suse.de/issue/333575/
:
Depends on:
Blocks: CVE-2020-10997
  Show dependency treegraph
 
Reported: 2022-06-13 10:55 UTC by Thomas Leroy
Modified: 2022-07-18 06:56 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-06-13 10:55:23 UTC 
rh#2093149

Percona XtraBackup 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. NOTE: this issue exists because of an incomplete fix for CVE-2020-10997.

https://docs.percona.com/percona-xtrabackup/2.4/release-notes/2.4/2.4.25.html
https://jira.percona.com/browse/PXB-2722

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2093149
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26944
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26944
https://docs.percona.com/percona-xtrabackup/2.4/release-notes/2.4/2.4.25.html
https://jira.percona.com/browse/PXB-2722
Comment 1 Thomas Leroy 2022-06-13 10:58:29 UTC 
It seems that this bug was introduced in the fix for CVE-2020-10997 bsc#1170644.
As long as CVE-2020-10997 remains unfixed, we are not affected.
First Last Prev Next    This bug is not in your last search results.