How severe is CVE-2025-24375?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5 out of 10.

What type of vulnerability is CVE-2025-24375?

This is classified as CWE-256, which is a common weakness in software security.

CVE-2025-24375 - MEDIUM Severity | CVSS 5

Vulnerability Description

Charmed MySQL K8s operator is a Charmed Operator for running MySQL on Kubernetes. Before revision 221, the method for calling a SQL DDL or python based mysql-shell scripts can leak database users credentials. The method mysql-operator calls mysql-shell application rely on writing to a temporary script file containing the full URI, with user and password. The file can be read by a unprivileged user during the operator runtime, due it being created with read permissions (0x644). On other cases, when calling mysql cli, for one specific case when creating the operator users, the DDL contains said users credentials, which can be leak through the same mechanism of a temporary file. All versions prior to revision 221 for kubernetes and revision 338 for machine operators.

Related Vulnerabilities

CVE-2024-26133

MEDIUM

CVSS:4.9(Medium)

EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior t...

CWE-2562024

CVE-2024-28971

MEDIUM

CVSS:4.9(Medium)

Dell Update Manager Plugin, versions 1.4.0 through 1.5.0, contains a Plain-text Password Storage Vulnerability in Log file. A remote high privileged attacker could potentially exploit this vulnerabili...

CWE-2562024

CVE-2024-49370

HIGH

CVSS:4.9(Medium)

Pimcore is an open source data and experience management platform. When a PortalUserObject is connected to a PimcoreUser and "Use Pimcore Backend Password" is set to true, the change password function...

CWE-2562024

CVE-2025-2770

MEDIUM

CVSS:4.9(Medium)

BEC Technologies Multiple Routers Cleartext Password Storage Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installation...

CWE-2562025

CVE-2018-7515

MEDIUM

CVSS:5.3(Medium)

In Omron CX-Supervisor Versions 3.30 and prior, access of uninitialized pointer vulnerabilities can be exploited when CX Supervisor indirectly calls an initialized pointer when parsing malformed packe...

CWE-2562018

CVE-2022-43426

MEDIUM

CVSS:5.3(Medium)

Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.

CWE-2562022