{"id":"CVE-2016-6225","details":"xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before 2.4.5 does not properly set the initialization vector (IV) for encryption, which makes it easier for context-dependent attackers to obtain sensitive information from encrypted backup files via a Chosen-Plaintext attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6394.","modified":"2026-04-10T03:53:45.828305Z","published":"2017-03-23T16:59:00.247Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAHI6ETS22FJCMLW7A6SICFKQXF5G2VI/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBVCP6KLFVGG6HSGLHLTMZRD6C4IJSZP/"},{"type":"ADVISORY","url":"https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2017-01/msg00125.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2017-01/msg00126.html"},{"type":"FIX","url":"https://bugs.launchpad.net/percona-xtrabackup/+bug/1643949"},{"type":"FIX","url":"https://github.com/percona/percona-xtrabackup/pull/266"},{"type":"FIX","url":"https://github.com/percona/percona-xtrabackup/pull/267"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/percona/percona-xtrabackup","events":[{"introduced":"0"},{"last_affected":"45cda897da4c6be5ce0bce127e7a1933229d4d16"},{"introduced":"0"},{"last_affected":"0d1198401797ef6f29ddc4604a5ce585ef476106"},{"introduced":"0"},{"last_affected":"a2dc9d4a27a76edc5df1b888b0be0c2069e75cac"},{"introduced":"0"},{"last_affected":"8e86a84734d7cdf2150d3b25ae9d7ac71e6aba6f"},{"introduced":"0"},{"last_affected":"6a469052242ec9fbb1e2b333068ce9b5d0f67a0c"},{"introduced":"0"},{"last_affected":"df58cf2ad82242fce89fa9b04f8328b46782dc39"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.3.5"},{"introduced":"0"},{"last_affected":"2.4.0-rc1"},{"introduced":"0"},{"last_affected":"2.4.1"},{"introduced":"0"},{"last_affected":"2.4.2"},{"introduced":"0"},{"last_affected":"2.4.3"},{"introduced":"0"},{"last_affected":"2.4.4"}]}}],"versions":["clone-5.1.0-build","clone-5.1.31-pv-0.2.0-build","clone-5.1.4-build","clone-5.4.0-build","clone-5.6.11-build","clone-5.6.3-m5-build","clone-5.6.3-m6-build","clone-5.6.6-m9-build","clone-5.6.7-rc-build","clone-5.6.9-rc-build","mysql-3.23.22-beta","mysql-3.23.28-gamma","mysql-3.23.30-gamma","mysql-3.23.31","mysql-3.23.32","mysql-3.23.33","mysql-3.23.36","mysql-4.0.2","mysql-4.0.4","mysql-5.1.4","mysql-5.6.11","mysql_4.0","mysqlsummit-0.2.0","mysqlsummit-0.2.0-build","mysqlsummit-0.2.1","mysqlsummit-0.2.1-build","percona-xtrabackup-2.3.5","percona-xtrabackup-2.4.0-rc1","percona-xtrabackup-2.4.1","percona-xtrabackup-2.4.2","percona-xtrabackup-2.4.3","percona-xtrabackup-2.4.4"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"42.1"}]},{"events":[{"introduced":"0"},{"last_affected":"42.2"}]},{"events":[{"introduced":"0"},{"last_affected":"24"}]},{"events":[{"introduced":"0"},{"last_affected":"25"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6225.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}