U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2025-24375 Detail

Description

Charmed MySQL K8s operator is a Charmed Operator for running MySQL on Kubernetes. Before revision 221, the method for calling a SQL DDL or python based mysql-shell scripts can leak database users credentials. The method mysql-operator calls mysql-shell application rely on writing to a temporary script file containing the full URI, with user and password. The file can be read by a unprivileged user during the operator runtime, due it being created with read permissions (0x644). On other cases, when calling mysql cli, for one specific case when creating the operator users, the DDL contains said users credentials, which can be leak through the same mechanism of a temporary file. All versions prior to revision 221 for kubernetes and revision 338 for machine operators.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://github.com/canonical/mysql-k8s-operator/commit/7c6b1206fcbc7324b72f413c5e63216e742a71a1 GitHub, Inc.
https://github.com/canonical/mysql-k8s-operator/pull/553 GitHub, Inc.
https://github.com/canonical/mysql-k8s-operator/security/advisories/GHSA-g83v-7694-2hf7 GitHub, Inc.
https://github.com/canonical/mysql-operator/commit/1fb61c1ee3e396cdce13d5e8155f2f32a860f89e GitHub, Inc.
https://github.com/canonical/mysql-operator/pull/579 GitHub, Inc.

Weakness Enumeration

CWE-ID CWE Name Source
CWE-256 Plaintext Storage of a Password GitHub, Inc.  

Change History

1 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2025-24375
NVD Published Date:
04/09/2025
NVD Last Modified:
04/11/2025
Source:
GitHub, Inc.