Vulnerability CVE-2015-1027

Vulnerability Name:

CVE-2015-1027 (CCN-132820)

Assigned:

2015-05-06

Published:

2015-05-06

Updated:

2017-10-10

Summary:

The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL.

CVSS v3 Severity:

5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2015-1027

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://bugs.launchpad.net/percona-toolkit/+bug/1408375

Source: XF
Type: UNKNOWN
percona-cve20151027-info-disc(132820)

Source: CCN
Type: Percona Security Advisory CVE-2015-1027
CVE-2015-1027

Source: CONFIRM
Type: Exploit, Mitigation, Vendor Advisory
https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-1027

Vulnerable Configuration:

Configuration 1:

cpe:/a:percona:toolkit:*:*:*:*:*:*:*:* (Version <= 2.2.12)

OR cpe:/a:percona:xtrabackup:*:*:*:*:*:*:*:* (Version <= 2.2.8)

Configuration CCN 1:

cpe:/a:percona:xtrabackup:2.2.8:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20151027	V	CVE-2015-1027	2022-06-30
oval:org.opensuse.security:def:113609	P	xtrabackup-2.3.5-1.3 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:113105	P	percona-toolkit-2.2.18-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106540	P	percona-toolkit-2.2.18-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:106992	P	xtrabackup-2.3.5-1.3 on GA media (Moderate)	2021-10-01
oval:com.ubuntu.bionic:def:201510270000000	V	CVE-2015-1027 on Ubuntu 18.04 LTS (bionic) - medium.	2017-09-29
oval:com.ubuntu.xenial:def:201510270000000	V	CVE-2015-1027 on Ubuntu 16.04 LTS (xenial) - medium.	2017-09-29
oval:com.ubuntu.disco:def:201510270000000	V	CVE-2015-1027 on Ubuntu 19.04 (disco) - medium.	2017-09-29
oval:com.ubuntu.cosmic:def:201510270000000	V	CVE-2015-1027 on Ubuntu 18.10 (cosmic) - medium.	2017-09-28
oval:com.ubuntu.artful:def:20151027000	V	CVE-2015-1027 on Ubuntu 17.10 (artful) - medium.	2017-09-28
oval:com.ubuntu.trusty:def:20151027000	V	CVE-2015-1027 on Ubuntu 14.04 LTS (trusty) - medium.	2017-09-28
oval:com.ubuntu.bionic:def:20151027000	V	CVE-2015-1027 on Ubuntu 18.04 LTS (bionic) - medium.	2017-09-28
oval:com.ubuntu.xenial:def:20151027000	V	CVE-2015-1027 on Ubuntu 16.04 LTS (xenial) - medium.	2017-09-28
oval:com.ubuntu.cosmic:def:20151027000	V	CVE-2015-1027 on Ubuntu 18.10 (cosmic) - medium.	2017-09-28
oval:com.ubuntu.precise:def:20151027000	V	CVE-2015-1027 on Ubuntu 12.04 LTS (precise) - medium.	2015-03-11

BACK