CVE-2025-24375

Name of the Vulnerable Software and Affected Versions: Charmed MySQL K8s operator versions prior to revision 221 Charmed MySQL machine operator versions prior to revision 338

Description: The Charmed MySQL K8s operator has a method for calling SQL DDL or python-based mysql-shell scripts that can leak database user credentials. This occurs because the method used by the mysql-operator to call the mysql-shell application relies on writing to a temporary script file containing the full URI, including user and password. The file is created with read permissions, allowing an unprivileged user to read it during the operator runtime. Additionally, when creating operator users, the DDL contains user credentials, which can be leaked through the same temporary file mechanism.

Recommendations: For Charmed MySQL K8s operator versions prior to revision 221, update to revision 221 or later to resolve the issue. For Charmed MySQL machine operator versions prior to revision 338, update to revision 338 or later to resolve the issue. As a temporary workaround, consider restricting access to the temporary script files created by the mysql-operator to minimize the risk of credential exposure.