CVE-2023-46739

CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd	Patch
https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxfoundation:cubefs:*:*:*:*:*:*:*:*

History

10 Jan 2024, 17:06

Type	Values Removed	Values Added
CPE		cpe:2.3:a:linuxfoundation:cubefs::::::::
First Time		Linuxfoundation cubefs Linuxfoundation
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.9
References	~~() https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398 -~~	() https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398 - Third Party Advisory
References	~~() https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd -~~	() https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd - Patch

03 Jan 2024, 17:26

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-03 17:15

Updated : 2024-02-28 20:54

NVD link : CVE-2023-46739

Mitre link : CVE-2023-46739

CVE.ORG link : CVE-2023-46739

JSON object : View

Products Affected

linuxfoundation

cubefs

CWE

CWE-203

Observable Discrepancy

{"id": "CVE-2023-46739", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 2.2}]}, "published": "2024-01-03T17:15:10.303", "references": [{"url": "https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading."}, {"lang": "es", "value": "CubeFS es un sistema de almacenamiento de archivos nativo de la nube de c\u00f3digo abierto. Se encontr\u00f3 una vulnerabilidad en el componente maestro de CubeFS en versiones anteriores a la 3.3.1 que podr\u00eda permitir a un atacante no confiable robar contrase\u00f1as de usuario mediante la realizaci\u00f3n de un ataque de sincronizaci\u00f3n. El caso ra\u00edz de la vulnerabilidad fue que CubeFS utiliz\u00f3 una comparaci\u00f3n de contrase\u00f1as sin formato. La parte vulnerable de CubeFS era el UserService del componente maestro. Se crea una instancia de UserService al iniciar el servidor del componente maestro. El problema se solucion\u00f3 en la versi\u00f3n 3.3.1. Para los usuarios afectados, no hay otra forma de mitigar el problema adem\u00e1s de actualizar."}], "lastModified": "2024-01-10T17:06:39.047", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:cubefs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6E8D59D8-6863-4398-9D77-2442BAF81108", "versionEndExcluding": "3.3.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}