Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Done
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.2.1
    • Component/s: PMM ManageD
    • Labels:
    • Story Points:
      0
    • Sprint:
      Platform Sprint 7, Platform Sprint 8
    • Needs Review:
      Yes
    • Needs QA:
      Yes
    • Needs Doc:
      Yes

      Description

      Certain requests like GET /.x cause an infinite loop in pmm-managed's AuthServer.authenticate method and nextPrefix function. Effectively, that's a DoS vector that can be exploited by anyone who knows the PMM Server address. Credentials knowledge is not required.

      That's an unintended side effect of the AWS setup wizard introduced in 2.2.0. No other versions are affected.

      https://github.com/percona/pmm-managed/pull/325

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7920

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              alexey.palazhchenko Alexey Palazhchenko (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 2 hours, 15 minutes
                  2h 15m

                    Smart Checklist