CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26701
https://notcve.org/view.php?id=CVE-2025-26701
11 Mar 2025 — An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. The default service account credentials can lead to SSH access, use of Sudo to root, and sensitive data exposure. This is fixed in PMM2 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and 2.44.0-1.ova and in PMM3 3.0.0-1.ova and later. • https://www.percona.com/blog/security-advisory-cve-affecting-percona-monitoring-and-management-pmm • CWE-1393: Use of Default Password •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7701 – Misuse of SHA256 to create an encryption key
https://notcve.org/view.php?id=CVE-2024-7701
15 Dec 2024 — Use of Password Hash With Insufficient Computational Effort vulnerability in percona percona-toolkit allows Encryption Brute Forcing.This issue affects percona-toolkit: 3.6.0. • https://github.com/percona/percona-toolkit/blob/aa1ac0e6889168fddf73c3a72d447e9ea0c0c63b/src/go/pt-secure-collect/encrypt.go#L17 • CWE-916: Use of Password Hash With Insufficient Computational Effort •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-25834 – Ubuntu Security Notice USN-6745-1
https://notcve.org/view.php?id=CVE-2022-25834
07 Jun 2023 — In Percona XtraBackup (PXB) through 2.2.24 and 3.x through 8.0.27-19, a crafted filename on the local file system could trigger unexpected command shell execution of arbitrary commands. Multiple vulnerabilities have been discovered in Percona XtraBackup, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 8.0.29.22 are affected. • https://docs.percona.com/percona-xtrabackup/8.0/release-notes/8.0/8.0.32-26.0.html#improvements • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0CVE-2023-34409
https://notcve.org/view.php?id=CVE-2023-34409
06 Jun 2023 — In Percona Monitoring and Management (PMM) server 2.x before 2.37.1, the authenticate function in auth_server.go does not properly formalize and sanitize URL paths to reject path traversal attempts. This allows an unauthenticated remote user, when a crafted POST request is made against unauthenticated API routes, to access otherwise protected API routes leading to escalation of privileges and information disclosure. • https://www.percona.com/blog/pmm-authentication-bypass-vulnerability-fixed-in-2-37-1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34968
https://notcve.org/view.php?id=CVE-2022-34968
03 Aug 2022 — An issue in the fetch_step function in Percona Server for MySQL v8.0.28-19 allows attackers to cause a Denial of Service (DoS) via a SQL query. Un problema en la función fetch_step de Percona Server for MySQL versión v8.0.28-19, permite a atacantes causar una denegación de servicio (DoS) por medio de una consulta SQL • https://jira.percona.com/browse/PS-8294 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26944 – Gentoo Linux Security Advisory 202408-15
https://notcve.org/view.php?id=CVE-2022-26944
02 Jun 2022 — Percona XtraBackup 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. NOTE: this issue exists because of an incomplete fix for CVE-2020-10997. Percona XtraBackup versión 2.4.20, escribe involuntariamente la línea de comandos en cualquier archivo de copia de seguridad resultante. • https://docs.percona.com/percona-xtrabackup/2.4/release-notes/2.4/2.4.25.html •
CVSS: 9.0EPSS: 48%CPEs: 7EXPL: 6CVE-2021-27928 – MariaDB 10.2 - 'wsrep_provider' OS Command Execution
https://notcve.org/view.php?id=CVE-2021-27928
19 Mar 2021 — A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product. Se detectó un problema de ejecución de código remota en MariaDB versiones 10.2 a... • https://packetstorm.news/files/id/162177 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26542
https://notcve.org/view.php?id=CVE-2020-26542
09 Nov 2020 — An issue was discovered in the MongoDB Simple LDAP plugin through 2020-10-02 for Percona Server when using the SimpleLDAP authentication in conjunction with Microsoft’s Active Directory, Percona has discovered a flaw that would allow authentication to complete when passing a blank value for the account password, leading to access against the service integrated with which Active Directory is deployed at the level granted to the authenticating account. Se detectó un problema en el plugin LDAP Simple de MongoD... • https://jira.percona.com/browse/PS-7358 • CWE-287: Improper Authentication •
CVSS: 9.0EPSS: 3%CPEs: 13EXPL: 0CVE-2020-15180 – mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep
https://notcve.org/view.php?id=CVE-2020-15180
28 Oct 2020 — A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6. Se encontró un fallo en el componente mysql-wsrep de mariadb. • https://bugzilla.redhat.com/show_bug.cgi?id=1894919 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10996
https://notcve.org/view.php?id=CVE-2020-10996
27 Apr 2020 — An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41.2. A bundled script inadvertently sets a static transition_key for SST processes in place of the random key expected. Se detectó un problema en Percona XtraDB Cluster en versiones anteriores a la 5.7.28-31.41.2. Un script empaquetado establece inadvertidamente un transition_key estático para los procesos SST en lugar de la clave aleatoria esperada. • https://jira.percona.com/browse/PXC-3117 • CWE-798: Use of Hard-coded Credentials CWE-838: Inappropriate Encoding for Output Context •