CVE-2023-46740

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-46740
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-46740.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-46740
Aliases
Related
Published
2024-01-03T17:15:10Z
Modified
2025-01-15T05:00:18.200412Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the “accessKey”. To create the "accesKey", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. An attacker could leverage the predictable random string generator and guess a users access key and impersonate the user to obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to upgrade.

References

Affected packages

Git / github.com/cubefs/cubefs

Affected ranges

Type
GIT
Repo
https://github.com/cubefs/cubefs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

v1.*

v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.5.1

v2.*

v2.0.0
v2.0.0-rc.1
v2.1.0
v2.1.0-rc.1
v2.2.0
v2.2.1
v2.2.2
v2.3.0-rc.1
v2.4.0-rc.0
v2.5.0-rc.0

v3.*

v3.0.0
v3.1.0
v3.1.1
v3.1.2
v3.2.0
v3.2.1
v3.3.0