6 matches found
CVE-2023-30512
CubeFS
CVE-2023-46739
CVE-2023-46739 affects CubeFS (open-source cloud-native file storage). In the CubeFS master component, the UserService uses raw string comparison for passwords, enabling a timing-attack which could leak user passwords. This vulnerability exists in versions prior to 3.3.1 and is fixed in v3.3.1; u...
CVE-2023-46742
CubeFS (before v3.3.1) leaks users’ secret keys and access keys in logs across multiple components, including during new user creation. This constitutes information disclosure and potentially enables log-access attackers to impersonate users. The issue is mitigated only by upgrading to v3.3.1, pe...
CVE-2023-46740
Summary: CVE-2023-46740 affects CubeFS before v3.3.1, where an insecure random string generator used for user accessKeys could be predicted, enabling an attacker to impersonate users and obtain higher privileges. The root cause is the use of a weak RNG for sensitive per-user keys during user crea...
CVE-2023-46741
CubeFS (open-source cloud-native file storage) has a vulnerability in versions prior to 3.3.1 where secrets/configuration keys are leaked in plaintext logs. The root cause is logging sensitive keys, enabling an attacker to read keys and perform operations on blobs they should not have permission ...
CVE-2023-46738
CVE-2023-46738 affects CubeFS HandlerNode (versions before 3.3.1). A malicious, authenticated user can trigger a crafted HTTP request that causes the ObjectNode to allocate memory beyond available limits, leading to memory exhaustion and denial of service. Root cause: improper handling of incomin...