[PMM-5232] pmm-managed DoS - Percona JIRA

XML

Word

Printable

Details

Type: Bug
Status: Done
Priority: High
Resolution: Done
Affects Version/s: 2.2.0
Fix Version/s: 2.2.1
Component/s: PMM ManageD
Labels:
- CVE-2020-7920

Story Points:
0
Sprint:
Platform Sprint 7, Platform Sprint 8
Needs Review:
Yes
Needs QA:
Yes
Needs Doc:
Yes

Description

Certain requests like GET /.x cause an infinite loop in pmm-managed's AuthServer.authenticate method and nextPrefix function. Effectively, that's a DoS vector that can be exploited by anyone who knows the PMM Server address. Credentials knowledge is not required.

That's an unintended side effect of the AWS setup wizard introduced in 2.2.0. No other versions are affected.

https://github.com/percona/pmm-managed/pull/325

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7920

Attachments

Issue Links

is duplicated by

PMM-5233 High CPU usage in pmm-managed

Done

mentioned in: Page Loading...

Activity

People

Assignee:: Unassigned

Reporter:: Alexey Palazhchenko (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 29/Dec/19 11:07 AM

Updated:: 28/Jan/20 12:53 PM

Resolved:: 23/Jan/20 3:47 PM

Time Tracking

Estimated:

Not Specified

Remaining: