Lucene search

GoogleOSV:CVE-2023-46742

HistoryJan 03, 2024 - 5:15 p.m.

CVE-2023-46742

2024-01-0317:15:11

Google

osv.dev

cubefs

cloud-native

file storage

secret keys

access keys

logs

users

sensitive information

impersonation

privilege escalation

security patch

upgrade

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

18.1%

JSON

CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.

References

github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd

github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

18.1%

JSON

Related for OSV:CVE-2023-46742