CVE-2023-46739 - OpenCVE

CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linuxfoundation	Cubefs

Configuration 1 [-]

cpe:2.3:a:linuxfoundation:cubefs:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd
https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-03T16:15:58.183Z

Updated: 2024-08-02T20:53:21.310Z

Reserved: 2023-10-25T14:30:33.753Z

Link: CVE-2023-46739

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-03T17:15:10.303

Modified: 2024-01-10T17:06:39.047

Link: CVE-2023-46739

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46739", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-25T14:30:33.753Z", "datePublished": "2024-01-03T16:15:58.183Z", "dateUpdated": "2024-08-02T20:53:21.310Z"}, "containers": {"cna": {"title": "Timing attack can leak user passwords", "problemTypes": [{"descriptions": [{"cweId": "CWE-203", "lang": "en", "description": "CWE-203: Observable Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398"}, {"name": "https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd", "tags": ["x_refsource_MISC"], "url": "https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd"}], "affected": [{"vendor": "cubefs", "product": "cubefs", "versions": [{"version": "< 3.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-03T16:15:58.183Z"}, "descriptions": [{"lang": "en", "value": "CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading."}], "source": {"advisory": "GHSA-8579-7p32-f398", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:21.310Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398"}, {"name": "https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:cubefs:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E8D59D8-6863-4398-9D77-2442BAF81108", "versionEndExcluding": "3.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading."}, {"lang": "es", "value": "CubeFS es un sistema de almacenamiento de archivos nativo de la nube de c\u00f3digo abierto. Se encontr\u00f3 una vulnerabilidad en el componente maestro de CubeFS en versiones anteriores a la 3.3.1 que podr\u00eda permitir a un atacante no confiable robar contrase\u00f1as de usuario mediante la realizaci\u00f3n de un ataque de sincronizaci\u00f3n. El caso ra\u00edz de la vulnerabilidad fue que CubeFS utiliz\u00f3 una comparaci\u00f3n de contrase\u00f1as sin formato. La parte vulnerable de CubeFS era el UserService del componente maestro. Se crea una instancia de UserService al iniciar el servidor del componente maestro. El problema se solucion\u00f3 en la versi\u00f3n 3.3.1. Para los usuarios afectados, no hay otra forma de mitigar el problema adem\u00e1s de actualizar."}], "id": "CVE-2023-46739", "lastModified": "2024-01-10T17:06:39.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-03T17:15:10.303", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "security-advisories@github.com", "type": "Primary"}]}