CVE-2023-46742

2024-01-0317:15:11

CWE-532

GitHub_M

web.nvd.nist.gov

cubefs

cve-2023-46742

security vulnerability

cloud storage

data leakage

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

18.1%

JSON

CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.

Affected configurations

Nvd

Vulners

Node

linuxfoundationcubefsRange<3.3.1

VendorProductVersionCPE
linuxfoundationcubefs*cpe:2.3:a:linuxfoundation:cubefs:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linuxfoundation	cubefs	*	cpe:2.3:a:linuxfoundation:cubefs::::::::

CNA Affected

[
  {
    "vendor": "cubefs",
    "product": "cubefs",
    "versions": [
      {
        "version": "< 3.3.1",
        "status": "affected"
      }
    ]
  }
]