CVE-2020-26542
https://notcve.org/view.php?id=CVE-2020-26542
An issue was discovered in the MongoDB Simple LDAP plugin through 2020-10-02 for Percona Server when using the SimpleLDAP authentication in conjunction with Microsoft’s Active Directory, Percona has discovered a flaw that would allow authentication to complete when passing a blank value for the account password, leading to access against the service integrated with which Active Directory is deployed at the level granted to the authenticating account. Se detectó un problema en el plugin LDAP Simple de MongoDB hasta el 2020-10-02 para Percona Server al utilizar la autenticación SimpleLDAP junto con el Directorio Activo de Microsoft, Percona ha descubierto un fallo que permitiría completar la autenticación al pasar un valor en blanco para la contraseña de la cuenta, lo que lleva a un acceso contra el servicio integrado con el que se despliega el Directorio Activo al nivel concedido a la cuenta autenticadora • https://jira.percona.com/browse/PS-7358 https://jira.percona.com/browse/PSMDB-726 https://www.percona.com/blog/2020/10/13/percona-distribution-for-mysql-pxc-variant-8-0-20-fixes-for-security-vulnerability-release-roundup-october-13-2020 https://www.percona.com/doc/percona-distribution-mysql/8.0/release-notes-pxc-v8.0.20.upd2.html • CWE-287: Improper Authentication •
CVE-2020-15180 – mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep
https://notcve.org/view.php?id=CVE-2020-15180
A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6. Se encontró un fallo en el componente mysql-wsrep de mariadb. • https://bugzilla.redhat.com/show_bug.cgi?id=1894919 https://lists.debian.org/debian-lts-announce/2020/10/msg00021.html https://security.gentoo.org/glsa/202011-14 https://www.debian.org/security/2020/dsa-4776 https://www.percona.com/blog/2020/10/30/cve-2020-15180-affects-percona-xtradb-cluster https://access.redhat.com/security/cve/CVE-2020-15180 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVE-2020-10996
https://notcve.org/view.php?id=CVE-2020-10996
An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41.2. A bundled script inadvertently sets a static transition_key for SST processes in place of the random key expected. Se detectó un problema en Percona XtraDB Cluster en versiones anteriores a la 5.7.28-31.41.2. Un script empaquetado establece inadvertidamente un transition_key estático para los procesos SST en lugar de la clave aleatoria esperada. • https://jira.percona.com/browse/PXC-3117 https://www.percona.com/blog/2020/04/20/cve-2020-10996-percona-xtradb-cluster-sst-script-static-key https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.28-31.41.2.html • CWE-798: Use of Hard-coded Credentials CWE-838: Inappropriate Encoding for Output Context •
CVE-2020-10997
https://notcve.org/view.php?id=CVE-2020-10997
Percona XtraBackup before 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. Percona XtraBackup versiones anteriores a la versión 2.4.20, escribe involuntariamente en la línea de comandos en cualquier salida de archivo de copia de seguridad resultante. Esto puede incluir argumentos confidenciales pasados durante el tiempo de ejecución. • https://jira.percona.com/browse/PXB-2142 https://www.percona.com/blog/2020/04/16/cve-2020-10997-percona-xtrabackup-information-disclosure-of-command-line-arguments • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2020-7920
https://notcve.org/view.php?id=CVE-2020-7920
pmm-server in Percona Monitoring and Management (PMM) 2.2.x before 2.2.1 allows unauthenticated denial of service. pmm-server en Percona Monitoring and Management (PMM) versiones 2.2.x anteriores a 2.2.1, permite una denegación de servicio no autenticada. • https://jira.percona.com/browse/PMM-5232 https://jira.percona.com/browse/PMM-5233 https://www.percona.com/blog/2020/02/03/improvements-in-pmm-bug-fixes-in-percona-server-percona-backup-for-mongodb-alert-release-roundup-2-3-2020 https://www.percona.com/doc/percona-monitoring-and-management/2.x/release-notes/2.2.1.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •