Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Done
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.2.1
    • Component/s: PMM ManageD
    • Labels:
    • Story Points:
      0
    • Sprint:
      Platform Sprint 7, Platform Sprint 8
    • Needs Review:
      Yes
    • Needs QA:
      Yes
    • Needs Doc:
      Yes

      Description

      Certain requests like GET /.x cause an infinite loop in pmm-managed's AuthServer.authenticate method and nextPrefix function. Effectively, that's a DoS vector that can be exploited by anyone who knows the PMM Server address. Credentials knowledge is not required.

      That's an unintended side effect of the AWS setup wizard introduced in 2.2.0. No other versions are affected.

      https://github.com/percona/pmm-managed/pull/325

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7920

        Smart Checklist

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  alexey.palazhchenko Alexey Palazhchenko
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - Not Specified
                    Not Specified
                    Logged:
                    Time Spent - 2 hours, 15 minutes
                    2h 15m