Cloud SQL for MySQL allows all users to see database names Affecting Cloud SQL service in Google

Snyk CCSS

Data / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00362
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Users might be able to see database names without having been explicitly authorized to access them.

How to fix?

Set a settings.database_flags block, with name as skip_show_database and value as on.

Example Configuration

resource "google_sql_database_instance" "allowed" {
   name             = "allowed-instance"
   database_version = "MYSQL_8_0"
   region           = "us-central1"

   settings {
     tier = "db-f1-micro"

     database_flags {
       name = "skip_show_database"
       value = "on"
     }

     database_flags {
       name = "performance_schema"
       value = "off"
     }
   }
}

Terraform

Resource: google_sql_database_instance

Cloud SQL for MySQL allows all users to see database names Affecting Cloud SQL service in Google

Severity

Description

How to fix?

Example Configuration

Terraform