CVE-2025-24375 – MySQL K8s charm could leak credentials for root-level user `serverconfig`

https://notcve.org/view.php?id=CVE-2025-24375

09 Apr 2025 — Charmed MySQL K8s operator is a Charmed Operator for running MySQL on Kubernetes. Before revision 221, the method for calling a SQL DDL or python based mysql-shell scripts can leak database users credentials. The method mysql-operator calls mysql-shell application rely on writing to a temporary script file containing the full URI, with user and password. The file can be read by a unprivileged user during the operator runtime, due it being created with read permissions (0x644). On other cases, when calling m... • https://github.com/canonical/mysql-k8s-operator/commit/7c6b1206fcbc7324b72f413c5e63216e742a71a1 • CWE-256: Plaintext Storage of a Password •