CVE-2020-10997 – Percona XtraBackup information disclosure of command line argum...
source link: https://www.percona.com/blog/2020/04/16/cve-2020-10997-percona-xtrabackup-information-disclosure-of-command-line-arguments/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CVE-2020-10997
Percona XtraDB backup >= 2.4.11 suffers an issue whereby the whole command line is captured and output to resulting backup file location, and where –history command line argument is passed this too is captured within the PERCONA_SCHEMA.xtrabackup_history table. In addition to the information being present within the process list and standard error output.
This issue is resolved in >= 2.4.20 and >= 8.0.11 .
Applicability
Access to backup files is required in order to exploit this error, protection of backup files and media is already a well known best-practise and we encourage our users to continue to follow this practise.
Authenticated access to the MySQL server is required to collect command line data where –history was used during backup.
Authenticated access to the Linux system on which PXB is being executed or access to the Process list meta data would be required in order to gain access to the command line arguments used during execution, as well as access to standard error output.
Credits
Percona would like to thank Zsolt Paragi for discovering this issue, and working to aid resolution.
More Information
- CVE-2020-10997
- https://jira.percona.com/browse/PXB-2142
- https://jira.percona.com/browse/PXB-2145
- https://jira.percona.com/browse/PXB-2152
- https://jira.percona.com/browse/PXB-2154
Release notes
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK