CVE-2024-0006 - Vulnerability Details - OpenCVE

Information exposure in the logging system in Yugabyte Platform allows local attackers with access to application logs to obtain database user credentials in log files, potentially leading to unauthorized database access.

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required High

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/yugabyte/yugabyte-db/commit/439c6286f1971f9ac6bff2c7215b454c2025c593
https://github.com/yugabyte/yugabyte-db/commit/5cc7f4e15d6ccccbf97c57946fd0aa630f88c9e2
https://github.com/yugabyte/yugabyte-db/commit/d96e6b629f34d065b47204daeeb44064e484c579

History

No history.

MITRE

Status: PUBLISHED

Assigner: Yugabyte

Published: 2024-07-19T14:26:14.160Z

Updated: 2024-08-01T17:41:15.316Z

Reserved: 2023-11-07T22:19:42.717Z

Link: CVE-2024-0006

Vulnrichment

Updated: 2024-08-01T17:41:15.316Z

NVD

Status : Awaiting Analysis

Published: 2024-07-19T15:15:09.930

Modified: 2024-11-21T08:45:41.097

Link: CVE-2024-0006

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0006", "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "state": "PUBLISHED", "assignerShortName": "Yugabyte", "dateReserved": "2023-11-07T22:19:42.717Z", "datePublished": "2024-07-19T14:26:14.160Z", "dateUpdated": "2024-08-01T17:41:15.316Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Linux", "Docker", "Kubernetes"], "product": "YugabyteDB Anywhere", "vendor": "YugabyteDB", "versions": [{"lessThan": "2.18.9.0", "status": "affected", "version": "2.18.0.0", "versionType": "git"}, {"lessThan": "2.20.2.3", "status": "affected", "version": "2.20.0.0", "versionType": "git"}, {"lessThan": "2024.1.1.0", "status": "affected", "version": "2024.0.0.0", "versionType": "git"}]}], "datePublic": "2024-07-18T19:42:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Information exposure in the logging system in Yugabyte Platform allows local attackers with access to application logs to obtain database user credentials in log files, potentially leading to unauthorized database access."}], "value": "Information exposure in the logging system in Yugabyte Platform allows local attackers with access to application logs to obtain database user credentials in log files, potentially leading to unauthorized database access."}], "impacts": [{"capecId": "CAPEC-560", "descriptions": [{"lang": "en", "value": "CAPEC-560 Use of Known Domain Credentials"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 5.4, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "shortName": "Yugabyte", "dateUpdated": "2024-07-19T14:26:14.160Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/yugabyte/yugabyte-db/commit/439c6286f1971f9ac6bff2c7215b454c2025c593"}, {"tags": ["patch"], "url": "https://github.com/yugabyte/yugabyte-db/commit/d96e6b629f34d065b47204daeeb44064e484c579"}, {"tags": ["patch"], "url": "https://github.com/yugabyte/yugabyte-db/commit/5cc7f4e15d6ccccbf97c57946fd0aa630f88c9e2"}], "source": {"defect": ["PLAT-14286"], "discovery": "UNKNOWN"}, "title": "DB User Password Leak in Application Log", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "yugabyte", "product": "yugabytedb", "cpes": ["cpe:2.3:a:yugabyte:yugabytedb:2.18.0.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.18.0.0", "status": "affected", "lessThan": "2.18.9.0", "versionType": "custom"}, {"version": "2.20.0.0", "status": "affected", "lessThan": "2.20.2.3", "versionType": "custom"}, {"version": "2024.0.0.0", "status": "affected", "lessThan": "2024.1.1.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-23T14:31:12.448030Z", "id": "CVE-2024-0006", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T14:32:54.285Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T17:41:15.316Z"}, "title": "CVE Program Container", "references": [{"tags": ["patch", "x_transferred"], "url": "https://github.com/yugabyte/yugabyte-db/commit/439c6286f1971f9ac6bff2c7215b454c2025c593"}, {"tags": ["patch", "x_transferred"], "url": "https://github.com/yugabyte/yugabyte-db/commit/d96e6b629f34d065b47204daeeb44064e484c579"}, {"tags": ["patch", "x_transferred"], "url": "https://github.com/yugabyte/yugabyte-db/commit/5cc7f4e15d6ccccbf97c57946fd0aa630f88c9e2"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/yugabyte/yugabyte-db/commit/439c6286f1971f9ac6bff2c7215b454c2025c593", "tags": ["patch", "x_transferred"]}, {"url": "https://github.com/yugabyte/yugabyte-db/commit/d96e6b629f34d065b47204daeeb44064e484c579", "tags": ["patch", "x_transferred"]}, {"url": "https://github.com/yugabyte/yugabyte-db/commit/5cc7f4e15d6ccccbf97c57946fd0aa630f88c9e2", "tags": ["patch", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T17:41:15.316Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0006", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-23T14:31:12.448030Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:yugabyte:yugabytedb:2.18.0.0:*:*:*:*:*:*:*"], "vendor": "yugabyte", "product": "yugabytedb", "versions": [{"status": "affected", "version": "2.18.0.0", "lessThan": "2.18.9.0", "versionType": "custom"}, {"status": "affected", "version": "2.20.0.0", "lessThan": "2.20.2.3", "versionType": "custom"}, {"status": "affected", "version": "2024.0.0.0", "lessThan": "2024.1.1.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T14:32:49.692Z"}}], "cna": {"title": "DB User Password Leak in Application Log", "source": {"defect": ["PLAT-14286"], "discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-560", "descriptions": [{"lang": "en", "value": "CAPEC-560 Use of Known Domain Credentials"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.4, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "YugabyteDB", "product": "YugabyteDB Anywhere", "versions": [{"status": "affected", "version": "2.18.0.0", "lessThan": "2.18.9.0", "versionType": "git"}, {"status": "affected", "version": "2.20.0.0", "lessThan": "2.20.2.3", "versionType": "git"}, {"status": "affected", "version": "2024.0.0.0", "lessThan": "2024.1.1.0", "versionType": "git"}], "platforms": ["Linux", "Docker", "Kubernetes"], "defaultStatus": "unaffected"}], "datePublic": "2024-07-18T19:42:00.000Z", "references": [{"url": "https://github.com/yugabyte/yugabyte-db/commit/439c6286f1971f9ac6bff2c7215b454c2025c593", "tags": ["patch"]}, {"url": "https://github.com/yugabyte/yugabyte-db/commit/d96e6b629f34d065b47204daeeb44064e484c579", "tags": ["patch"]}, {"url": "https://github.com/yugabyte/yugabyte-db/commit/5cc7f4e15d6ccccbf97c57946fd0aa630f88c9e2", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Information exposure in the logging system in Yugabyte Platform allows local attackers with access to application logs to obtain database user credentials in log files, potentially leading to unauthorized database access.", "supportingMedia": [{"type": "text/html", "value": "Information exposure in the logging system in Yugabyte Platform allows local attackers with access to application logs to obtain database user credentials in log files, potentially leading to unauthorized database access.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "shortName": "Yugabyte", "dateUpdated": "2024-07-19T14:26:14.160Z"}}}, "cveMetadata": {"cveId": "CVE-2024-0006", "state": "PUBLISHED", "dateUpdated": "2024-08-01T17:41:15.316Z", "dateReserved": "2023-11-07T22:19:42.717Z", "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "datePublished": "2024-07-19T14:26:14.160Z", "assignerShortName": "Yugabyte"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Information exposure in the logging system in Yugabyte Platform allows local attackers with access to application logs to obtain database user credentials in log files, potentially leading to unauthorized database access."}, {"lang": "es", "value": " La exposici\u00f3n de informaci\u00f3n en el sistema de registro de Yugabyte Platform permite a atacantes locales con acceso a los registros de aplicaciones obtener credenciales de usuario de la base de datos en archivos de registro, lo que podr\u00eda conducir a un acceso no autorizado a la base de datos."}], "id": "CVE-2024-0006", "lastModified": "2024-11-21T08:45:41.097", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "ADJACENT", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "LOW", "subsequentSystemConfidentiality": "LOW", "subsequentSystemIntegrity": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "security@yugabyte.com", "type": "Secondary"}]}, "published": "2024-07-19T15:15:09.930", "references": [{"source": "security@yugabyte.com", "url": "https://github.com/yugabyte/yugabyte-db/commit/439c6286f1971f9ac6bff2c7215b454c2025c593"}, {"source": "security@yugabyte.com", "url": "https://github.com/yugabyte/yugabyte-db/commit/5cc7f4e15d6ccccbf97c57946fd0aa630f88c9e2"}, {"source": "security@yugabyte.com", "url": "https://github.com/yugabyte/yugabyte-db/commit/d96e6b629f34d065b47204daeeb44064e484c579"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/yugabyte/yugabyte-db/commit/439c6286f1971f9ac6bff2c7215b454c2025c593"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/yugabyte/yugabyte-db/commit/5cc7f4e15d6ccccbf97c57946fd0aa630f88c9e2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/yugabyte/yugabyte-db/commit/d96e6b629f34d065b47204daeeb44064e484c579"}], "sourceIdentifier": "security@yugabyte.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security@yugabyte.com", "type": "Secondary"}]}