73 matches found
EUVD-2024-0441
Malicious code in bioql PyPI...
EUVD-2024-0297
Malicious code in bioql PyPI...
EUVD-2024-0290
Malicious code in bioql PyPI...
EUVD-2024-0400
Malicious code in bioql PyPI...
EUVD-2023-1244
Malicious code in bioql PyPI...
EUVD-2024-0236
Malicious code in bioql PyPI...
CVE-2023-46739
CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS...
CVE-2023-30512
CubeFS through 3.2.1 allows Kubernetes cluster-level privilege escalation. This occurs because DaemonSet has cfs-csi-cluster-role and can thus list all secrets, including the admin secret...
GO-2024-2434 CubeFS leaks users key in logs in github.com/cubefs/cubefs
CubeFS leaks users key in logs in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest an edit t...
GO-2024-2432 CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs
CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please...
GO-2024-2433 CubeFS leaks magic secret key when starting Blobstore access service in github.com/cubefs/cubefs
CubeFS leaks magic secret key when starting Blobstore access service in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
GO-2024-2430 Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs
Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports...
Insufficient Randomness
github.com/cubefs/cubefs is vulnerable to use of insufficient random strings. The vulnerability due to creation of the accessKey which is insufficiently random. This allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges...
Information Disclosure
github.com/cubefs/cubefs is vulnerable to Information Exposure. The vulnerability is due to CubeFS leaking configuration keys in plaintext logs. This allow the attacker to read sensitive data from the logs and allow anyone to carry out operations on blobs...
Information Disclosure
github.com/cubefs/cubefs is vulnerable to Information Exposure. The vulnerability is due to the leakage of users secret keys and access keys in the logs in multiple components. This allow an attackers with access to the logs to retrieve sensitive information and impersonate other users...
Timing Attack
github.com/cubefs/cubefs is vulnerability to Timing Attack. The vulnerability is due to raw string comparisons within the CubeFS master component. This allow an attacker to steal user passwords by observing the timing between password attempts...
Denial Of Service (DoS)
github.com/cubefs/cubefs is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of incoming HTTP requests in a CubeFS HandlerNode that could allow an authenticated users to send maliciously-crafted requests that would crash the ObjectNode. An attacker can send a...
CVE-2023-46742
CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to th...
CVE-2023-46740
CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string...
CVE-2023-46741
CubeFS is an open-source cloud-native file storage system. A vulnerability was found in CubeFS prior to version 3.3.1 that could allow users to read sensitive data from the logs which could allow them escalate privileges. CubeFS leaks configuration keys in plaintext format in the logs. These keys...