Skip to content

MySQL K8s charm could leak credentials for root-level user `serverconfig`

Low
paulomach published GHSA-g83v-7694-2hf7 Apr 9, 2025

Package

mysql-k8s-operator

Affected versions

revisions < 221

Patched versions

revision 221
mysql-operator
revisions < 338
revision 338

Description

CVE-2025-24375 : Plain files scripts in mysql-operator can lead to password leak

Summary:
Current method for calling a SQL DDL or python based mysql-shell scripts can leak database users credentials.

Details:
The method mysql-operator calls mysql-shell application rely on writing to a temporary script file containing the full URI, with user and password. The file can be read by a unprivileged user during the operator runtime, due it being created with read permissions (0x644). On other cases, when calling mysql cli, for one specific case when creating the operator users, the DDL contains said users credentials, which can be leak through the same mechanism of a temporary file.

Impact:

  • Confidentiality: Compromise of database credentials.
  • Affected Users: All users utilizing the mysql-operator machine and kubernetes operators
  • Exploitation Prerequisites: Requires specific access to operator host.

Affected Versions:
All versions prior to revision 221 for kubernetes and revision 338 for machine operators.

Mitigation:
Users are advised to:

  1. Immediately update to version 221 or 338 (k8s and vm) or later, where this vulnerability has been addressed. Follow the upgrade guides for k8s and vm.
  2. Rotate any exposed credentials.

Resolution:
The vulnerability has been resolved in revision 221 (for k8s) and 338 (for machine), where the method for calling scripts was changed to not expose any credential.

References:

CVSS Score:
Low

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:N

CVE ID

CVE-2025-24375

Weaknesses

No CWEs