CVE-2023-46739

{"id": "CVE-2023-46739", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 2.2}]}, "published": "2024-01-03T17:15:10.303", "references": [{"url": "https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading."}, {"lang": "es", "value": "CubeFS es un sistema de almacenamiento de archivos nativo de la nube de c\u00f3digo abierto. Se encontr\u00f3 una vulnerabilidad en el componente maestro de CubeFS en versiones anteriores a la 3.3.1 que podr\u00eda permitir a un atacante no confiable robar contrase\u00f1as de usuario mediante la realizaci\u00f3n de un ataque de sincronizaci\u00f3n. El caso ra\u00edz de la vulnerabilidad fue que CubeFS utiliz\u00f3 una comparaci\u00f3n de contrase\u00f1as sin formato. La parte vulnerable de CubeFS era el UserService del componente maestro. Se crea una instancia de UserService al iniciar el servidor del componente maestro. El problema se solucion\u00f3 en la versi\u00f3n 3.3.1. Para los usuarios afectados, no hay otra forma de mitigar el problema adem\u00e1s de actualizar."}], "lastModified": "2024-01-10T17:06:39.047", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:cubefs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6E8D59D8-6863-4398-9D77-2442BAF81108", "versionEndExcluding": "3.3.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}