{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26133", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-14T17:40:03.687Z", "datePublished": "2024-02-21T16:49:32.426Z", "dateUpdated": "2024-08-01T23:59:32.615Z"}, "containers": {"cna": {"title": "EventStoreDB Projections Subsystem has potential password leak", "problemTypes": [{"descriptions": [{"cweId": "CWE-256", "lang": "en", "description": "CWE-256: Plaintext Storage of a Password", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"}, {"name": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf", "tags": ["x_refsource_MISC"], "url": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf"}, {"name": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version", "tags": ["x_refsource_MISC"], "url": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version"}, {"name": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10", "tags": ["x_refsource_MISC"], "url": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10"}, {"name": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133", "tags": ["x_refsource_MISC"], "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"}, {"name": "https://www.eventstore.com/blog/new-version-strategy", "tags": ["x_refsource_MISC"], "url": "https://www.eventstore.com/blog/new-version-strategy"}], "affected": [{"vendor": "EventStore", "product": "EventStore", "versions": [{"version": ">= 23.0.0, < 23.10.1", "status": "affected"}, {"version": ">= 22.0.0, < 22.10.5", "status": "affected"}, {"version": ">= 21.0.0, < 21.10.11", "status": "affected"}, {"version": ">= 20.0.0, < 20.10.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-21T16:49:32.426Z"}, "descriptions": [{"lang": "en", "value": "EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied."}], "source": {"advisory": "GHSA-6r53-v8hj-x684", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26133", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-21T20:39:57.383915Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:53.650Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:59:32.615Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"}, {"name": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf"}, {"name": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version"}, {"name": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10"}, {"name": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"}, {"name": "https://www.eventstore.com/blog/new-version-strategy", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.eventstore.com/blog/new-version-strategy"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26133", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-21T20:39:57.383915Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:40.496Z"}}], "cna": {"title": "EventStoreDB Projections Subsystem has potential password leak", "source": {"advisory": "GHSA-6r53-v8hj-x684", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "EventStore", "product": "EventStore", "versions": [{"status": "affected", "version": ">= 23.0.0, < 23.10.1"}, {"status": "affected", "version": ">= 22.0.0, < 22.10.5"}, {"status": "affected", "version": ">= 21.0.0, < 21.10.11"}, {"status": "affected", "version": ">= 20.0.0, < 20.10.6"}]}], "references": [{"url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684", "name": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf", "name": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf", "tags": ["x_refsource_MISC"]}, {"url": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version", "name": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version", "tags": ["x_refsource_MISC"]}, {"url": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10", "name": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10", "tags": ["x_refsource_MISC"]}, {"url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133", "name": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133", "tags": ["x_refsource_MISC"]}, {"url": "https://www.eventstore.com/blog/new-version-strategy", "name": "https://www.eventstore.com/blog/new-version-strategy", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-256", "description": "CWE-256: Plaintext Storage of a Password"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-21T16:49:32.426Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26133", "state": "PUBLISHED", "dateUpdated": "2024-07-05T17:21:53.650Z", "dateReserved": "2024-02-14T17:40:03.687Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-21T16:49:32.426Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kurrent:eventstoredb:*:*:*:*:open-source:*:*:*", "matchCriteriaId": "121A0F5F-F477-4096-B9DD-56B345A1DF25", "versionEndExcluding": "20.10.6", "versionStartIncluding": "20.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kurrent:eventstoredb:*:*:*:*:open-source:*:*:*", "matchCriteriaId": "0F82D0FF-AB86-47A8-B276-94665844CDDC", "versionEndExcluding": "21.10.11", "versionStartIncluding": "21.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kurrent:eventstoredb:*:*:*:*:open-source:*:*:*", "matchCriteriaId": "34D1C437-C3A1-4307-861A-12D5DBE30220", "versionEndExcluding": "22.10.5", "versionStartIncluding": "22.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kurrent:eventstoredb:*:*:*:*:open-source:*:*:*", "matchCriteriaId": "BB3E5FBA-1300-4774-A3D4-64F5FA02375D", "versionEndExcluding": "23.10.1", "versionStartIncluding": "23.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied."}, {"lang": "es", "value": "EventStoreDB (ESDB) es una base de datos operativa creada para almacenar eventos. Se ha identificado una vulnerabilidad en el subsistema de proyecciones en las versiones 20 anteriores a la 20.10.6, 21 anteriores a la 21.10.11, 22 anteriores a la 22.10.5 y 23 anteriores a la 23.10.1. Esta vulnerabilidad solo afecta las instancias de bases de datos que utilizan proyecciones personalizadas. Las contrase\u00f1as de usuario pueden volverse accesibles para aquellos que tienen acceso a los archivos fragmentados en el disco y para los usuarios que tienen acceso de lectura a las secuencias del sistema. Solo los usuarios del grupo `$admins` pueden acceder a las transmisiones del sistema de forma predeterminada. ESDB 23.10.1, 22.10.5, 21.10.11 y 20.10.6 contienen un parche para este problema. Los usuarios deben actualizar EventStoreDB, restablecer las contrase\u00f1as de los miembros actuales y anteriores de los grupos `$admins` y `$ops` y, si se reutiliz\u00f3 una contrase\u00f1a en cualquier otro sistema, restablecerla en esos sistemas a una contrase\u00f1a \u00fanica para seguir las mejores pr\u00e1cticas. Si no se puede realizar una actualizaci\u00f3n de inmediato, restablezca las contrase\u00f1as de los miembros actuales y anteriores de los grupos `$admins` y `$ops`. Evite crear proyecciones personalizadas hasta que se haya aplicado el parche."}], "id": "CVE-2024-26133", "lastModified": "2025-02-04T15:07:56.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-21T17:15:10.060", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"}, {"source": "security-advisories@github.com", "tags": ["Broken Link"], "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"}, {"source": "security-advisories@github.com", "tags": ["Broken Link"], "url": "https://www.eventstore.com/blog/new-version-strategy"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://www.eventstore.com/blog/new-version-strategy"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-256"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}