GHSA-wx8q-4gm9-rj2g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wx8q-4gm9-rj2g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-wx8q-4gm9-rj2g/GHSA-wx8q-4gm9-rj2g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wx8q-4gm9-rj2g
- Aliases
- Related
- Published
- 2024-03-15T16:35:11Z
- Modified
- 2025-04-09T19:58:59Z
- Severity
-
- 4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime
- Details
-
Impact
OS command injection vulnerability within the Fluid project's JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data.
Patches
For users who're using version < 0.9.3 with JuicefsRuntime, upgrade to v0.9.3.
References
Are there any links users can visit to find out more?
Credits
Special thanks to the discovers of this issue:
Xiaozheng Zhang xiaozheng_zhang@outlook.com
- Database specific
{ "nvd_published_at": "2024-03-15T19:15:06Z", "cwe_ids": [ "CWE-78" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-03-15T16:35:11Z" }- References
-
- https://github.com/fluid-cloudnative/fluid/security/advisories/GHSA-wx8q-4gm9-rj2g
- https://nvd.nist.gov/vuln/detail/CVE-2023-51699
- https://github.com/fluid-cloudnative/fluid/commit/02b7cd8b79a26092df95d625664994bda485c722
- https://github.com/fluid-cloudnative/fluid/commit/e0184cff8790ad000c3e8943392c7f544fad7d66
- https://github.com/fluid-cloudnative/fluid
Affected packages
Go / github.com/fluid-cloudnative/fluid
Package
- Name
- github.com/fluid-cloudnative/fluid
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/fluid-cloudnative/fluid