CVE-2015-7224 - puppetlabs-mysql can unexpectedly create database user accounts with no password
Posted September 22, 2015
Assessed Risk Level: Medium
In previous versions of puppetlabs-mysql, a bug in username validation can unexpectedly create database user accounts with no password.
If a `mysql_user` user parameter contains a host with a netmask, the database account created does not include the netmask. A subsequent `mysql_grant` for the same user creates a second database account that includes the host and netmask, but has no password. This account could potentially be used to access the database remotely, without authentication.
Users who may have used affected versions of puppetlabs-mysql to manage database accounts containing netmasks should audit puppetlabs-mysql-managed MySQL user tables (for accounts that may have been unexpectedly created) and update to puppetlabs-mysql 3.6.1.
CVSS v2 Base Score: 6.8
Thanks to Stefan Lasiewski for responsibly disclosing this issue to us.
Affected Software Versions:
- puppetlabs-mysql 3.1.0 - 3.6.0
- puppetlabs-mysql 3.6.1