CVE-2023-31135

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-31135
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-31135.json
Aliases
Published
2023-05-17T18:15:09Z
Modified
2023-11-29T09:57:46.234420Z
Details

Dgraph is an open source distributed GraphQL database. Existing Dgraph audit logs are vulnerable to brute force attacks due to nonce collisions. The first 12 bytes come from a baseIv which is initialized when an audit log is created. The last 4 bytes come from the length of the log line being encrypted. This is problematic because two log lines will often have the same length, so due to these collisions we are reusing the same nonce many times. All audit logs generated by versions of Dgraph <v23.0.0 are affected. Attackers must have access to the system the logs are stored on. Dgraph users should upgrade to v23.0.0. Users unable to upgrade should store existing audit logs in a secure location and for extra security, encrypt using an external tool like gpg.

References

Affected packages

Git / github.com/dgraph-io/dgraph

Affected ranges

Type
GIT
Repo
https://github.com/dgraph-io/dgraph
Events
Introduced
0The exact introduced commit is unknown
Fixed
38980bc4a44352094c15ddfe4b606a8f05b48e81

Affected versions

Other

nightly

release/v20.*

release/v20.11-rc1

v0.*

v0.3
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4

v1.*

v1.0.0
v1.0.1
v1.0.10
v1.0.10-rc1
v1.0.11
v1.0.11-rc1
v1.0.11-rc2
v1.0.11-rc3
v1.0.11-rc4
v1.0.12-rc1
v1.0.12-rc2
v1.0.12-rc3
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.7
v1.0.7-rc2
v1.0.7-rc3
v1.0.7-rc4
v1.0.7a
v1.0.8
v1.0.8-rc1
v1.0.8-rc2
v1.0.9
v1.0.9-rc1
v1.0.9-rc2
v1.0.9-rc3
v1.0.9-rc4
v1.0.9-rc5
v1.1.0
v1.1.0-rc2
v1.1.0-rc3
v1.1.1
v1.1.1-rc1
v1.1.1-rc2
v1.2.0-rc1

v2.*

v2.0.0-beta1
v2.0.0-rc1

v20.*

v20.11.0-rc1

v21.*

v21.03.0
v21.03.1
v21.03.2

v22.*

v22.0.0
v22.0.0-RC1-20221003
v22.0.2

v23.*

v23.0.0-beta1
v23.0.0-rc1