VIR Vulnerability Intelligence Relay

CVE-2014-2029

high
Published 2017-09-29 · Modified 2026-05-13
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
8.1
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v4 NEW
—
not yet in upstream
VIR risk
8.1

Description

The automatic version check functionality in the tools in Percona Toolkit 2.1 allows man-in-the-middle attackers to obtain sensitive information or execute arbitrary code by leveraging use of HTTP to download configuration information from v.percona.com.

Predictions

Exploit likelihood
88%
Patch ETA
—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2014-2029 NameCVE-2014-2029 DescriptionThe automatic version check functionality in the tools in Percona Toolkit 2.1 allows man-in-the-middle attackers to obtain sensitive information or execute arbitrary code by leveraging use of HTTP to download configuration information from v.percona.com. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE…

CVE-2014-2029

NameCVE-2014-2029
DescriptionThe automatic version check functionality in the tools in Percona Toolkit 2.1 allows man-in-the-middle attackers to obtain sensitive information or execute arbitrary code by leveraging use of HTTP to download configuration information from v.percona.com.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs740846, 751377

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
percona-toolkit (PTS)bookworm, bullseye, trixie3.2.1-1fixed
forky, sid3.7.1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
percona-toolkitsourcewheezy(not affected)
percona-toolkitsource(unstable)2.2.7-1~dfsg1740846
percona-xtrabackupsource(unstable)2.2.3-1751377

Notes

[wheezy] - percona-toolkit <not-affected> (version-check introduced in 2.1.4)

Home - Debian Security - Source (Git)

Apply commands

text verify
Notes
[wheezy] - percona-toolkit <not-affected> (version-check introduced in 2.1.4)

OS impact
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 2.2.7-1~dfsg1
sid Fixed 2.2.7-1~dfsg1
forky Fixed 2.2.7-1~dfsg1
bullseye Fixed 2.2.7-1~dfsg1
bookworm Fixed 2.2.7-1~dfsg1

Application impact
VendorProductVersionsFixed
perconatoolkit2.1

References

CWEs

CWE-200

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.