Percona: >> Monitoring And Management >> 2.0.0 Security Vulnerabilities
An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specific superuser privileges, an attacker with pmm-admin rights can abuse the "Add data source" feature to break out of the database context and execute shell commands on the underlying operating system.
CVSS Score
9.9
EPSS Score
0.001
Published
2026-04-02
In Percona Monitoring and Management (PMM) server 2.x before 2.37.1, the authenticate function in auth_server.go does not properly formalize and sanitize URL paths to reject path traversal attempts. This allows an unauthenticated remote user, when a crafted POST request is made against unauthenticated API routes, to access otherwise protected API routes leading to escalation of privileges and information disclosure.
CVSS Score
9.8
EPSS Score
0.02
Published
2023-06-06