security-research-notebook/mysql-credential-exposure/index.html

331 lines · html
<!doctype html>
<html lang="en"><head><meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Aiven Internal System Account Password Hashes Exposed to Customer Users via mysql.user SELECT on Aiven Managed MySQL | Zion Boggan</title>
<meta name="description" content="MySQL binlog ACL bypass surfaces replication credentials.">
<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">
<style>
  :root{
    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;
    --line:#222936; --line2:#2c3543;
    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;
    --accent:#6cc7b8; --accent-dim:#274b47;
    --maxw:1020px;
  }
  *{box-sizing:border-box;}
  html{scroll-behavior:smooth;}
  body{margin:0;background:var(--bg);color:var(--ink);
    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;
    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}
  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}
  a{color:var(--accent);text-decoration:none;}
  a:hover{color:#8fe0d2;}
  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}
 
  /* nav */
  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);
    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}
  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}
  nav .brand{font-weight:600;letter-spacing:.2px;}
  nav .brand .dot{color:var(--accent);}
  nav .links{display:flex;gap:26px;font-size:13.5px;}
  nav .links a{color:var(--muted);}
  nav .links a:hover{color:var(--ink);}
  @media(max-width:680px){nav .links{display:none;}}
 
  /* hero */
  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);
    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}
  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);
    display:flex;align-items:center;gap:9px;margin-bottom:20px;}
  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);
    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}
  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}
  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}
  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}
  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}
  .hero .lede b{color:var(--ink);font-weight:600;}
  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}
  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;
    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}
  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}
  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}
  .btn.primary:hover{background:#8fe0d2;color:#06231f;}
  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}
  .meta .mono{color:var(--faint);}
 
  /* sections */
  section{padding:64px 0;border-bottom:1px solid var(--line);}
  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}
  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}
  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}
  .shead .rule{flex:1;height:1px;background:var(--line);}
 
  /* flagship */
  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);
    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}
  .flag .top{padding:30px 32px 8px;}
  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}
  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}
  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}
  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}
  .flag p{color:var(--soft);margin:0 0 16px;}
  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}
  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}
  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}
  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}
  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}
  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}
  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}
  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}
  .spec li:first-child{border-top:none;}
  .spec li span{color:var(--muted);}
  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}
  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}
 
  /* lab cards */
  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}
  @media(max-width:680px){.cards{grid-template-columns:1fr;}}
  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);
    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}
  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}
  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}
  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}
  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}
  .card h3{margin:0 0 9px;font-size:17px;}
  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}
  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}
  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);
    border-radius:5px;padding:3px 8px;}
  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}
  .card .lnk::after{content:" →";}
 
  /* research */
  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}
  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;
    padding:18px 22px;border-top:1px solid var(--line);}
  .ritem:first-child{border-top:none;}
  .ritem:hover{background:var(--panel);}
  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}
  .ritem h3{margin:0 0 3px;font-size:16px;}
  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}
  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}
  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}
  .progs{margin-top:22px;}
  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}
  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}
  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);
    border-radius:6px;padding:4px 10px;}
 
  /* credentials */
  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}
  @media(max-width:680px){.cred{grid-template-columns:1fr;}}
  .cred p{color:var(--soft);margin:0 0 14px;}
  .cred .role{font-size:14px;color:var(--muted);}
  .cred .role b{color:var(--ink);font-weight:600;}
  .certs{list-style:none;margin:0;padding:0;}
  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);
    display:flex;gap:10px;align-items:baseline;}
  .certs li:first-child{border-top:none;}
  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}
 
  footer{padding:46px 0 64px;}
  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}
  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}
  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}
 
  .detail-hero{padding:40px 0 26px;}
  .back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:20px;font-family:ui-monospace,Menlo,monospace;}
  .back:hover{color:var(--ink);}
  .kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}
  .detail-hero h1{font-size:clamp(26px,4.6vw,38px);margin:0 0 12px;letter-spacing:-.5px;}
  .detail-hero .tagline{font-size:clamp(15px,2vw,18px);color:var(--soft);max-width:800px;margin:0 0 16px;}
  .facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(150px,1fr));gap:12px;margin-top:22px;}
  .content{padding:8px 0 0;max-width:840px;}
  .content h1{font-size:24px;margin:40px 0 14px;letter-spacing:-.4px;color:var(--ink);}
  .content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:42px 0 15px;font-weight:600;border-top:1px solid var(--line);padding-top:28px;}
  .content h3{font-size:17px;margin:28px 0 10px;color:var(--ink);font-weight:600;}
  .content h4{font-size:14px;margin:22px 0 8px;color:var(--soft);font-weight:600;text-transform:uppercase;letter-spacing:.5px;}
  .content p{color:var(--soft);margin:0 0 15px;}
  .content ul,.content ol{color:var(--soft);margin:0 0 15px;padding-left:22px;}
  .content li{margin:5px 0;}
  .content strong{color:var(--ink);font-weight:600;}
  .content a{color:var(--accent);}
  .content code{font-family:ui-monospace,Menlo,monospace;font-size:12.8px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}
  .content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}
  .content pre code{background:none;border:none;padding:0;font-size:12.4px;color:var(--soft);line-height:1.6;white-space:pre;}
  .content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.3px;}
  .content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}
  .content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}
  .content blockquote{border-left:3px solid var(--accent-dim);margin:0 0 16px;padding:2px 0 2px 18px;color:var(--muted);}
  .content hr{border:none;border-top:1px solid var(--line);margin:30px 0;}
  /* notebook index */
  .nbgroup{margin:40px 0 0;}
  .nbgroup h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin:0 0 4px;font-weight:600;}
  .nbgroup .gd{color:var(--faint);font-size:13px;margin:0 0 14px;}
  .nbtable{width:100%;border-collapse:collapse;font-size:14px;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
  .nbtable tr{border-top:1px solid var(--line);}
  .nbtable tr:first-child{border-top:none;}
  .nbtable tr:hover{background:var(--panel);}
  .nbtable td{padding:14px 16px;vertical-align:top;}
  .nbtable .cls{white-space:nowrap;color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:11.5px;text-transform:uppercase;letter-spacing:.5px;width:150px;}
  .nbtable .ti a{font-weight:600;color:var(--ink);}
  .nbtable .ti a:hover{color:var(--accent);}
  .nbtable .ol{color:var(--muted);font-size:13px;margin-top:3px;}
  @media(max-width:680px){.nbtable .cls{width:auto;display:block;}}
</style>
<link rel="canonical" href="https://zionboggan.com/security-research-notebook/mysql-credential-exposure/">
<meta name="author" content="Zion Boggan">
<meta name="robots" content="index, follow, max-image-preview:large">
<meta property="og:type" content="article">
<meta property="og:site_name" content="Zion Boggan">
<meta property="og:title" content="Aiven Internal System Account Password Hashes Exposed to Customer Users via mysql.user SELECT on Aiven Managed MySQL | Zion Boggan">
<meta property="og:description" content="MySQL binlog ACL bypass surfaces replication credentials.">
<meta property="og:url" content="https://zionboggan.com/security-research-notebook/mysql-credential-exposure/">
<meta property="og:image" content="https://zionboggan.com/assets/og-default.png">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="Aiven Internal System Account Password Hashes Exposed to Customer Users via mysql.user SELECT on Aiven Managed MySQL | Zion Boggan">
<meta name="twitter:description" content="MySQL binlog ACL bypass surfaces replication credentials.">
<meta name="twitter:image" content="https://zionboggan.com/assets/og-default.png">
<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"Aiven Internal System Account Password Hashes Exposed to Customer Users via mysql.user SELECT on Aiven Managed MySQL","description":"MySQL binlog ACL bypass surfaces replication credentials.","url":"https://zionboggan.com/security-research-notebook/mysql-credential-exposure/","image":"https://zionboggan.com/assets/og-default.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>
</head><body>
<nav><div class="wrap">
  <a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>
  <span class="links"><a href="/#oversight">Oversight</a><a href="/#labs">Labs</a><a href="/#research">Research</a><a href="/security-research-notebook/">Notebook</a><a href="/">Home</a></span>
</div></nav>
<header class="hero detail-hero"><div class="wrap">
  <a class="back" href="/security-research-notebook/">&larr; Research notebook</a>
  <div class="kicker">Info disclosure</div>
  <h1>Aiven Internal System Account Password Hashes Exposed to Customer Users via mysql.user SELECT on Aiven Managed MySQL</h1>
</div></header>
<section><div class="wrap"><div class="content">
<h2>Summary</h2>
<p>On Aiven&rsquo;s managed MySQL service, the default <code>avnadmin</code> user has unrestricted <code>SELECT</code> access to the <code>mysql.user</code> system table, which exposes the <code>caching_sha2_password</code> password hashes for ALL system accounts, including Aiven&rsquo;s internal <code>root</code> user, the <code>repluser</code> replication account, and the <code>metrics_user_datadog</code> and <code>metrics_user_telegraf</code> monitoring accounts.</p>
<p>The root account (<code>root@fda7:a938:5bfe:5fa6:%</code>) has full <code>SUPER</code>, <code>FILE</code>, <code>SHUTDOWN</code>, and all administrative privileges, and is accessible from any host within Aiven&rsquo;s internal IPv6 ULA prefix. Any customer who can crack the root password hash and access the internal network (e.g., via a cross-service SSRF from another compromised Aiven service) gains full MySQL root access with capabilities far exceeding what <code>avnadmin</code> is intended to have, including <code>FILE</code> (arbitrary file read/write), <code>SUPER</code> (bypass all restrictions), and <code>SHUTDOWN</code>.</p>
<p>Aiven demonstrates clear intent to restrict <code>avnadmin</code>&lsquo;s access to the mysql system schema by explicitly revoking INSERT, UPDATE, DELETE, CREATE, DROP, and other write privileges on <code>mysql.*</code>. However, <code>SELECT</code> was not revoked, exposing all credential data.</p>
<h2>Affected Target</h2>
<ul>
<li><strong>Service:</strong> Aiven for MySQL (Tier 2)</li>
<li><strong>Version tested:</strong> MySQL 8.0.45</li>
<li><strong>Instance:</strong> <host>:12741</li>
</ul>
<h2>Severity</h2>
<p><strong>P2, Sensitive Data Exposure</strong></p>
<p><strong>VRT:</strong> Server Security Misconfiguration &gt; Database Management System (DBMS) Misconfiguration &gt; Excessively Privileged User / DBA</p>
<p><strong>CVSS 3.1:</strong> <code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N</code>, <strong>Score: 7.7 (High)</strong></p>
<ul>
<li><strong>C:H</strong>, Complete credential exposure of all system accounts including root</li>
<li><strong>S:C</strong>, Scope changed: customer credentials expose Aiven&rsquo;s internal infrastructure accounts</li>
</ul>
<h2>Steps to Reproduce</h2>
<h3>One-command credential dump</h3>
<pre><code class="language-sql">SELECT user, host, plugin, authentication_string, Super_priv, 
       Grant_priv, password_expired, account_locked 
FROM mysql.user;
</code></pre>
<h3>Actual output on Aiven (redacted hashes truncated):</h3>
<pre><code>+----------------------------+-------------------------------+---------------------------+--------------------------------------------------+
| user                       | host                          | plugin                    | authentication_string (truncated)                |
+----------------------------+-------------------------------+---------------------------+--------------------------------------------------+
| avnadmin                   | %                             | caching_sha2_password     | $A$005$&lt;hash&gt;                                    |
| repluser                   | %                             | caching_sha2_password     | $A$005$&lt;hash&gt;                                    |
| metrics_user_datadog       | ::1                           | caching_sha2_password     | $A$005$&lt;hash&gt;                                    |
| metrics_user_telegraf      | ::1                           | caching_sha2_password     | $A$005$&lt;hash&gt;                                    |
| root                       | fda7:a938:5bfe:5fa6:%         | caching_sha2_password     | $A$005$&lt;hash&gt;  (Super=Y, Grant=Y, locked=N)      |
| mysql.infoschema           | localhost                     | caching_sha2_password     | THISISACOMBINATIONOFINVALID...                   |
| mysql.session              | localhost                     | caching_sha2_password     | THISISACOMBINATIONOFINVALID...                   |
| mysql.sys                  | localhost                     | caching_sha2_password     | THISISACOMBINATIONOFINVALID...                   |
+----------------------------+-------------------------------+---------------------------+--------------------------------------------------+
</code></pre>
<h3>Key exposed accounts:</h3>
<table>
<thead>
<tr>
<th>Account</th>
<th>Host Restriction</th>
<th>Privileges</th>
<th>Risk</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>root</code></td>
<td><code>fda7:a938:5bfe:5fa6:%</code></td>
<td>ALL + SUPER + FILE + SHUTDOWN</td>
<td>Full server control from internal network</td>
</tr>
<tr>
<td><code>repluser</code></td>
<td><code>%</code> (any host)</td>
<td>REPLICATION SLAVE + SERVICE_CONNECTION_ADMIN</td>
<td>Binary log streaming from anywhere</td>
</tr>
<tr>
<td><code>metrics_user_datadog</code></td>
<td><code>::1</code> (localhost)</td>
<td>Monitoring access</td>
<td>Internal monitoring disruption</td>
</tr>
<tr>
<td><code>metrics_user_telegraf</code></td>
<td><code>::1</code> (localhost)</td>
<td>Monitoring access</td>
<td>Internal monitoring disruption</td>
</tr>
</tbody>
</table>
<h2>Impact</h2>
<h3>1. Internal Root Account Credential Exposure</h3>
<p>The <code>root@fda7:a938:5bfe:5fa6:%</code> user has ALL privileges including SUPER, FILE, and SHUTDOWN. Its password hash is fully exposed. The host restriction uses Aiven&rsquo;s internal IPv6 ULA prefix (<code>fda7:a938:5bfe:5fa6::/80</code>), which is shared across Aiven services in the same region.</p>
<p>An attacker who cracks the root hash can escalate to full MySQL root from any other Aiven service on the internal network, gaining capabilities that <code>avnadmin</code> intentionally lacks:
- <strong>FILE privilege</strong>: Read/write arbitrary files on the MySQL host
- <strong>SUPER privilege</strong>: Bypass all access restrictions, change global variables, kill any process
- <strong>SHUTDOWN privilege</strong>: Stop the MySQL server
- <strong>SYSTEM_VARIABLES_ADMIN</strong>: Enable <code>local_infile</code>, change <code>secure_file_priv</code>, modify logging</p>
<h3>2. Replication Account Exposure</h3>
<p>The <code>repluser@%</code> account has REPLICATION SLAVE privilege with no host restriction. If its password is cracked, an attacker can connect from any IP and stream the entire binary log, exfiltrating ALL data changes including INSERTs with sensitive values (passwords, tokens, PII).</p>
<h3>3. Cross-Service Escalation Path</h3>
<p>The internal IPv6 prefix <code>fda7:a938:5bfe:5fa6::/80</code> is the same prefix discovered via PostgreSQL SSRF (documented in separate submission). This creates a cross-service attack chain:</p>
<pre><code>Customer MySQL (avnadmin) → SELECT mysql.user → root password hash
                          → Crack hash offline
Customer PG (SSRF via dblink) → Connect to MySQL internal IPv6
                              → Authenticate as root with cracked password  
                              → Full MySQL root: FILE, SUPER, SHUTDOWN
</code></pre>
<h3>4. Additional Information Disclosure</h3>
<p>The <code>admin_address</code> global variable reveals the MySQL admin interface binding: <code>fda7:a938:5bfe:5fa6:0:5a9:6ce7:66e1</code>. Combined with the root hash, this pinpoints the exact target for internal privilege escalation.</p>
<p>Binary logs are also readable via <code>SHOW BINLOG EVENTS</code>, exposing all DDL/DML history including CREATE USER statements with IDENTIFIED BY clauses.</p>
<h2>Root Cause</h2>
<p>Aiven&rsquo;s privilege model for <code>avnadmin</code> explicitly revokes write operations on the <code>mysql</code> schema:</p>
<pre><code class="language-sql">REVOKE INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, 
       CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, 
       CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER 
ON &quot;mysql&quot;.* FROM &quot;avnadmin&quot;@&quot;%&quot;
</code></pre>
<p>This demonstrates Aiven&rsquo;s intent to restrict access to system tables. However, <code>SELECT</code> was not included in the revocation, allowing full read access to <code>mysql.user</code> and all system tables containing credentials and configuration.</p>
<h2>Recommended Fix</h2>
<ol>
<li>
<p><strong>Immediate:</strong> Revoke SELECT on <code>mysql.user</code> for <code>avnadmin</code>:
   <code>sql
   REVOKE SELECT ON mysql.user FROM 'avnadmin'@'%';</code>
   Or more broadly:
   <code>sql
   REVOKE SELECT ON mysql.* FROM 'avnadmin'@'%';
   GRANT SELECT ON mysql.func TO 'avnadmin'@'%';  -- if needed for UDF listing</code></p>
</li>
<li>
<p><strong>Defense in depth:</strong> Restrict the <code>root</code> user&rsquo;s host to a narrower range than the entire <code>/80</code> prefix, or disable the root account entirely and manage via a separate orchestration channel.</p>
</li>
<li>
<p><strong>Rotate credentials:</strong> The exposed hashes for root, repluser, and monitoring accounts should be rotated, as they may have already been read by other researchers or attackers.</p>
</li>
</ol>
<hr><p style="color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace">Source &middot; github.com/zionboggan/security-research-notebook &middot; writeups/aiven/mysql-credential-exposure.md</p>
</div></div></section>
<footer><div class="wrap row">
  <div class="links"><a href="/">Portfolio</a><a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a><a href="/security-research-notebook/">Notebook</a><a href="mailto:zionboggan0@gmail.com">Email</a></div>
  <div class="note">Coordinated-disclosure research. Findings appear here only after the program's disclosure window closed, the patch shipped, or a CVE was published. No customer data was accessed.</div>
</div></footer>
</body></html>