Charmed MySQL K8s Operator Database Credential Leak Vulnerability

A vulnerability exists in the Charmed MySQL K8s operator, specifically in versions prior to 221, that can lead to the unintentional exposure of database user credentials. This issue arises from the operator's method of executing SQL Data Definition Language (DDL) or Python-based MySQL Shell scripts. The current approach involves writing a temporary script file that includes the full URI, along with the username and password. This file, created with read permissions, can be accessed by an unprivileged user while the operator is running. Additionally, when the MySQL command-line interface (CLI) is used to create operator users, the DDL can inadvertently include sensitive credentials, which may also be leaked through a similar temporary file mechanism.

Impact

Exploitation of this vulnerability compromises database user credentials, potentially allowing unauthorized access to the database. This issue affects all users of the Charmed MySQL K8s operator.

Reproduction

To reproduce this vulnerability, create a MySQL user through the Charmed MySQL K8s operator. The process will generate a temporary file containing the user's credentials, which can be accessed by an unprivileged user. Alternatively, execute a SQL DDL or Python-based MySQL Shell script using the operator, which will also result in a temporary file being created with the same credential leakage.

Remediation

Users are advised to update to version 221 or later, where this vulnerability has been addressed. For those using the MySQL K8s operator, follow the upgrade guide available on Charmhub.