CVE-2023-34409
https://notcve.org/view.php?id=CVE-2023-34409
In Percona Monitoring and Management (PMM) server 2.x before 2.37.1, the authenticate function in auth_server.go does not properly formalize and sanitize URL paths to reject path traversal attempts. This allows an unauthenticated remote user, when a crafted POST request is made against unauthenticated API routes, to access otherwise protected API routes leading to escalation of privileges and information disclosure. • https://www.percona.com/blog/pmm-authentication-bypass-vulnerability-fixed-in-2-37-1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-7920
https://notcve.org/view.php?id=CVE-2020-7920
pmm-server in Percona Monitoring and Management (PMM) 2.2.x before 2.2.1 allows unauthenticated denial of service. pmm-server en Percona Monitoring and Management (PMM) versiones 2.2.x anteriores a 2.2.1, permite una denegación de servicio no autenticada. • https://jira.percona.com/browse/PMM-5232 https://jira.percona.com/browse/PMM-5233 https://www.percona.com/blog/2020/02/03/improvements-in-pmm-bug-fixes-in-percona-server-percona-backup-for-mongodb-alert-release-roundup-2-3-2020 https://www.percona.com/doc/percona-monitoring-and-management/2.x/release-notes/2.2.1.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •