xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before 2.4.5 does not properly set the initialization vector (IV) for encryption, which makes it easier for context-dependent attackers to obtain sensitive information from encrypted backup files via a Chosen-Plaintext attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6394.
2017-03-23T16:59:00.247
2025-04-20T01:37:25.860
Deferred
CVSSv3.0: 5.9 (MEDIUM)
AV:N/AC:M/Au:N/C:P/I:N/A:N
8.6
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | percona | xtrabackup | ≤ 2.3.5 | Yes |
| Application | percona | xtrabackup | 2.4.0 | Yes |
| Application | percona | xtrabackup | 2.4.1 | Yes |
| Application | percona | xtrabackup | 2.4.2 | Yes |
| Application | percona | xtrabackup | 2.4.3 | Yes |
| Application | percona | xtrabackup | 2.4.4 | Yes |
| Operating System | opensuse | leap | 42.1 | Yes |
| Operating System | opensuse | leap | 42.2 | Yes |
| Operating System | fedoraproject | fedora | 24 | Yes |
| Operating System | fedoraproject | fedora | 25 | Yes |