Percona Open source database vendor, MongoDB, MySQL, PostgreSQL or MariaDB
Products by Percona Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 0 vulnerabilities in Percona . Last year Percona had 2 security vulnerabilities published. Right now, Percona is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 2 | 8.80 |
| 2022 | 2 | 7.00 |
| 2021 | 2 | 8.10 |
| 2020 | 4 | 7.98 |
| 2019 | 1 | 9.80 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Percona vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Percona Security Vulnerabilities
In Percona XtraBackup (PXB) through 2.2.24 and 3.x through 8.0.27-19
CVE-2022-25834
7.8 - High
- June 07, 2023
In Percona XtraBackup (PXB) through 2.2.24 and 3.x through 8.0.27-19, a crafted filename on the local file system could trigger unexpected command shell execution of arbitrary commands.
Command Injection
In Percona Monitoring and Management (PMM) server 2.x before 2.37.1
CVE-2023-34409
9.8 - Critical
- June 06, 2023
In Percona Monitoring and Management (PMM) server 2.x before 2.37.1, the authenticate function in auth_server.go does not properly formalize and sanitize URL paths to reject path traversal attempts. This allows an unauthenticated remote user, when a crafted POST request is made against unauthenticated API routes, to access otherwise protected API routes leading to escalation of privileges and information disclosure.
Directory traversal
An issue in the fetch_step function in Percona Server for MySQL v8.0.28-19
CVE-2022-34968
7.5 - High
- August 03, 2022
An issue in the fetch_step function in Percona Server for MySQL v8.0.28-19 allows attackers to cause a Denial of Service (DoS) via a SQL query.
SQL Injection
Percona XtraBackup 2.4.20 unintentionally writes the command line to any resulting backup file output
CVE-2022-26944
6.5 - Medium
- June 02, 2022
Percona XtraBackup 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. NOTE: this issue exists because of an incomplete fix for CVE-2020-10997.
A flaw was found in the mysql-wsrep component of mariadb
CVE-2020-15180
9 - Critical
- May 27, 2021
A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.
Command Injection
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37
CVE-2021-27928
7.2 - High
- March 19, 2021
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
Code Injection
An issue was discovered in the MongoDB Simple LDAP plugin through 2020-10-02 for Percona Server when using the SimpleLDAP authentication in conjunction with Microsofts Active Directory, Percona has discovered a flaw
CVE-2020-26542
9.8 - Critical
- November 09, 2020
An issue was discovered in the MongoDB Simple LDAP plugin through 2020-10-02 for Percona Server when using the SimpleLDAP authentication in conjunction with Microsofts Active Directory, Percona has discovered a flaw that would allow authentication to complete when passing a blank value for the account password, leading to access against the service integrated with which Active Directory is deployed at the level granted to the authenticating account.
authentification
An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41.2
CVE-2020-10996
8.1 - High
- April 27, 2020
An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41.2. A bundled script inadvertently sets a static transition_key for SST processes in place of the random key expected.
Use of Hard-coded Credentials
Percona XtraBackup before 2.4.20 unintentionally writes the command line to any resulting backup file output
CVE-2020-10997
6.5 - Medium
- April 27, 2020
Percona XtraBackup before 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table.
Improper Input Validation
pmm-server in Percona Monitoring and Management (PMM) 2.2.x before 2.2.1
CVE-2020-7920
7.5 - High
- February 06, 2020
pmm-server in Percona Monitoring and Management (PMM) 2.2.x before 2.2.1 allows unauthenticated denial of service.
Resource Exhaustion
The Percona Server 5.6.44-85.0-1 packages for Debian and Ubuntu suffered an issue where the server
CVE-2019-12301
9.8 - Critical
- May 23, 2019
The Percona Server 5.6.44-85.0-1 packages for Debian and Ubuntu suffered an issue where the server would reset the root password to a blank value upon an upgrade. This was fixed in 5.6.44-85.0-2.
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging
CVE-2016-6664
7 - High
- December 13, 2016
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
insecure temporary file
Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7
CVE-2016-6662
9.8 - Critical
- September 20, 2016
Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15.
Permissions, Privileges, and Access Controls