Details

    • Bug
    • Status: Done
    • High
    • Resolution: Done
    • 2.2.0
    • 2.2.1
    • PMM ManageD
    • 0
    • Platform Sprint 7, Platform Sprint 8
    • Yes
    • Yes
    • Yes

    Description

      Certain requests like GET /.x cause an infinite loop in pmm-managed's AuthServer.authenticate method and nextPrefix function. Effectively, that's a DoS vector that can be exploited by anyone who knows the PMM Server address. Credentials knowledge is not required.

      That's an unintended side effect of the AWS setup wizard introduced in 2.2.0. No other versions are affected.

      https://github.com/percona/pmm-managed/pull/325

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7920

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              alexey.palazhchenko Alexey Palazhchenko (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 2 hours, 15 minutes
                  2h 15m

                  Smart Checklist