Cubefs
CVE-2023-46740
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the “accessKey”. To create the "accesKey", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. An attacker could leverage the predictable random string generator and guess a users access key and impersonate the user to obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to upgrade.
AnalysisAI
CubeFS is an open-source cloud-native file storage system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required.
Technical ContextAI
This vulnerability is classified under CWE-330. CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the “accessKey”. To create the "accesKey", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. An attacker could leverage the predictable random string generator and guess a users access key and impersonate the user to obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to upgrade. Affected products include: Linuxfoundation Cubefs. Version information: version 3.3.1.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
CubeFS is an open-source cloud-native file storage system. Rated medium severity (CVSS 6.5), this vulnerability is remot
CubeFS is an open-source cloud-native file storage system. Rated medium severity (CVSS 6.5), this vulnerability is remot
CubeFS through 3.2.1 allows Kubernetes cluster-level privilege escalation. Rated medium severity (CVSS 6.5), this vulner
CubeFS is an open-source cloud-native file storage system. Rated medium severity (CVSS 4.8), this vulnerability is low a
CubeFS is an open-source cloud-native file storage system. Rated medium severity (CVSS 4.8), this vulnerability is low a
Same weakness CWE-330 – Use of Insufficiently Random Values
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today