CVE-2023-46741
CubeFS Config Key Log Exposure Vulnerability
Description
CubeFS is an open-source cloud-native file storage system. A vulnerability was found in CubeFS prior to version 3.3.1 that could allow users to read sensitive data from the logs which could allow them escalate privileges. CubeFS leaks configuration keys in plaintext format in the logs. These keys could allow anyone to carry out operations on blobs that they otherwise do not have permissions for. For example, an attacker that has succesfully retrieved a secret key from the logs can delete blogs from the blob store. The attacker can either be an internal user with limited privileges to read the log, or they can be an external user who has escalated privileges sufficiently to access the logs. The vulnerability has been patched in v3.3.1. There is no other mitigation than upgrading.
INFO
Published Date :
Jan. 3, 2024, 5:15 p.m.
Last Modified :
Nov. 21, 2024, 8:29 a.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.9
Exploitability Score :
3.9
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2023-46741
.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2023-46741
vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2023-46741
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://github.com/cubefs/cubefs/commit/972f0275ee8d5dbba4b1530da7c145c269b31ef5 Added Reference https://github.com/cubefs/cubefs/security/advisories/GHSA-8h2x-gr2c-c275 -
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
Initial Analysis by [email protected]
Jan. 10, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Changed Reference Type https://github.com/cubefs/cubefs/commit/972f0275ee8d5dbba4b1530da7c145c269b31ef5 No Types Assigned https://github.com/cubefs/cubefs/commit/972f0275ee8d5dbba4b1530da7c145c269b31ef5 Patch Changed Reference Type https://github.com/cubefs/cubefs/security/advisories/GHSA-8h2x-gr2c-c275 No Types Assigned https://github.com/cubefs/cubefs/security/advisories/GHSA-8h2x-gr2c-c275 Third Party Advisory Added CWE NIST NVD-CWE-noinfo Added CPE Configuration OR *cpe:2.3:a:linuxfoundation:cubefs:*:*:*:*:*:*:*:* versions up to (excluding) 3.3.1 -
CVE Received by [email protected]
Jan. 03, 2024
Action Type Old Value New Value Added Description CubeFS is an open-source cloud-native file storage system. A vulnerability was found in CubeFS prior to version 3.3.1 that could allow users to read sensitive data from the logs which could allow them escalate privileges. CubeFS leaks configuration keys in plaintext format in the logs. These keys could allow anyone to carry out operations on blobs that they otherwise do not have permissions for. For example, an attacker that has succesfully retrieved a secret key from the logs can delete blogs from the blob store. The attacker can either be an internal user with limited privileges to read the log, or they can be an external user who has escalated privileges sufficiently to access the logs. The vulnerability has been patched in v3.3.1. There is no other mitigation than upgrading. Added Reference GitHub, Inc. https://github.com/cubefs/cubefs/security/advisories/GHSA-8h2x-gr2c-c275 [No types assigned] Added Reference GitHub, Inc. https://github.com/cubefs/cubefs/commit/972f0275ee8d5dbba4b1530da7c145c269b31ef5 [No types assigned] Added CWE GitHub, Inc. CWE-200 Added CVSS V3.1 GitHub, Inc. AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2023-46741
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2023-46741
weaknesses.
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
0.10 }} -0.01%
score
0.41669
percentile