← Back to CVEs
CVE-2023-46742
MEDIUM4.8
Description
CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.
CVE Details
CVSS v3.1 Score4.8
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Attack VectorLOCAL
ComplexityLOW
Privileges RequiredLOW
User InteractionREQUIRED
Published1/3/2024
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
linuxfoundation:cubefs
Weaknesses (CWE)
CWE-532
References
https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd(security-advisories@github.com)
https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2(security-advisories@github.com)
https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.