CVE-2023-46739
Last modified
CVE-2023-46739 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. EPSS estimates a 0.35% chance of exploitation in the next 30 days.
Description
CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Cubefs | < 3.3.1 |
References
- https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398Third Party Advisory
- https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-46739?
How severe is CVE-2023-46739?
How do I fix CVE-2023-46739?
Are you affected by CVE-2023-46739?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST