pmm-managed DoS

General

Escalation

General

Escalation

Description

Certain requests like GET /.x cause an infinite loop in pmm-managed's AuthServer.authenticate method and nextPrefix function. Effectively, that's a DoS vector that can be exploited by anyone who knows the PMM Server address. Credentials knowledge is not required.

That's an unintended side effect of the AWS setup wizard introduced in 2.2.0. No other versions are affected.

https://github.com/percona/pmm-managed/pull/325

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7920

How to test

None

How to document

None

Linked issues

is duplicated by

PMM-5233

High CPU usage in pmm-managed

Smart Checklist

Activity

Done

Details
Assignee
Unassigned
Reporter
Alexey Palazhchenko(Deactivated)
Priority
High
Components
Labels
CVECVE-2020-7920
Needs QA
Yes
Needs Doc
Yes
Fix versions
2.2.1
Story Points
0
Sprint
None
Affects versions
2.02.0

Smart Checklist

Created December 29, 2019 at 11:07 AM

Updated March 6, 2024 at 5:02 AM

Resolved January 23, 2020 at 3:47 PM

pmm-managed DoS

Description

How to test

How to document

Linked issues

is duplicated by

Smart Checklist

Activity

DetailsAssigneeUnassignedUnassignedReporterAlexey PalazhchenkoAlexey Palazhchenko(Deactivated)PriorityHighComponentsLabelsCVECVE-2020-7920Needs QAYesNeeds DocYesFix versions2.2.1Story Points0SprintNone+2Affects versions2.02.0

Details

Assignee

Reporter

Priority

Components

Labels

Needs QA

Needs Doc

Fix versions

Story Points

Sprint

Affects versions

Smart ChecklistOpen Smart Checklist

Smart Checklist

Details
Assignee
Unassigned
Reporter
Alexey Palazhchenko(Deactivated)
Priority
High
Components
Labels
CVECVE-2020-7920
Needs QA
Yes
Needs Doc
Yes
Fix versions
2.2.1
Story Points
0
Sprint
None
Affects versions
2.02.0

Smart Checklist