CVE-2023-46742 - Vulnerability Details - OpenCVE

CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linuxfoundation	Cubefs

Configuration 1 [-]

cpe:2.3:a:linuxfoundation:cubefs:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd
https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-03T16:25:36.047Z

Updated: 2024-08-02T20:53:20.883Z

Reserved: 2023-10-25T14:30:33.753Z

Link: CVE-2023-46742

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-01-03T17:15:11.010

Modified: 2024-11-21T08:29:12.450

Link: CVE-2023-46742

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46742", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-25T14:30:33.753Z", "datePublished": "2024-01-03T16:25:36.047Z", "dateUpdated": "2024-08-02T20:53:20.883Z"}, "containers": {"cna": {"title": "CubeFS leaks users key in logs", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2"}, {"name": "https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd", "tags": ["x_refsource_MISC"], "url": "https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd"}], "affected": [{"vendor": "cubefs", "product": "cubefs", "versions": [{"version": "< 3.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-03T16:25:36.047Z"}, "descriptions": [{"lang": "en", "value": "CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS."}], "source": {"advisory": "GHSA-vwch-g97w-hfg2", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:20.883Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2"}, {"name": "https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:cubefs:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E8D59D8-6863-4398-9D77-2442BAF81108", "versionEndExcluding": "3.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS."}, {"lang": "es", "value": "CubeFS es un sistema de almacenamiento de archivos nativo de la nube de c\u00f3digo abierto. Se descubri\u00f3 que CubeFS anterior a la versi\u00f3n 3.3.1 filtraba claves secretas de usuarios y claves de acceso en los registros de m\u00faltiples componentes. Cuando CubeCS crea nuevos usuarios, filtra la clave secreta de los usuarios. Esto podr\u00eda permitir que un usuario con menos privilegios y acceso a los registros recupere informaci\u00f3n confidencial y se haga pasar por otros usuarios con mayores privilegios que \u00e9l. El problema se solucion\u00f3 en la versi\u00f3n 3.3.1. No hay otra mitigaci\u00f3n que actualizar CubeFS."}], "id": "CVE-2023-46742", "lastModified": "2024-11-21T08:29:12.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-03T17:15:11.010", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Secondary"}]}