Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MySQL K8s charm could leak credentials for root-level user `serverconfig`
Vulnerability Description
Charmed MySQL K8s operator is a Charmed Operator for running MySQL on Kubernetes. Before revision 221, the method for calling a SQL DDL or python based mysql-shell scripts can leak database users credentials. The method mysql-operator calls mysql-shell application rely on writing to a temporary script file containing the full URI, with user and password. The file can be read by a unprivileged user during the operator runtime, due it being created with read permissions (0x644). On other cases, when calling mysql cli, for one specific case when creating the operator users, the DDL contains said users credentials, which can be leak through the same mechanism of a temporary file. All versions prior to revision 221 for kubernetes and revision 338 for machine operators.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Vulnerability Type
明文存储口令
Vulnerability Title
MySQL K8s operator 安全漏洞
Vulnerability Description
MySQL K8s operator是Canonical开源的一个在Kubernetes上运行MySQL的字符运算符。 MySQL K8s operator 221之前版本存在安全漏洞,该漏洞源于临时脚本文件权限设置不当,可能导致数据库用户凭据泄露。
CVSS Information
N/A
Vulnerability Type
N/A