← Back to CVEs
CVE-2023-34409
CRITICAL9.8
Description
In Percona Monitoring and Management (PMM) server 2.x before 2.37.1, the authenticate function in auth_server.go does not properly formalize and sanitize URL paths to reject path traversal attempts. This allows an unauthenticated remote user, when a crafted POST request is made against unauthenticated API routes, to access otherwise protected API routes leading to escalation of privileges and information disclosure.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published6/6/2023
Last Modified1/8/2025
Sourcenvd
Honeypot Sightings0
Affected Products
percona:monitoring_and_management
Weaknesses (CWE)
CWE-22CWE-22
References
https://www.percona.com/blog/pmm-authentication-bypass-vulnerability-fixed-in-2-37-1/(cve@mitre.org)
https://www.percona.com/blog/pmm-authentication-bypass-vulnerability-fixed-in-2-37-1/(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.