CVE-2023-46742

Опубликовано: 03 янв. 2024

Источник: nvd

CVSS3: 4.8

CVSS3: 6.5

EPSS Низкий

Описание

CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.

Ссылки

https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd
Patch
https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2
Third Party Advisory
https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd
Patch
https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:linuxfoundation:cubefs:*:*:*:*:*:*:*:*

Версия до 3.3.1 (исключая)

EPSS

Процентиль: 14%

0.00046

Низкий

4.8 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-532

Связанные уязвимости

GHSA-vwch-g97w-hfg2

CVSS3: 4.8

github

около 2 лет назад

CubeFS leaks users key in logs

EPSS

Процентиль: 14%

0.00046

Низкий

4.8 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-532