CVE-2023-0745: Arbitrary File Write in High Availability Backup Upload
First published: Thu Feb 09 2023(Updated: )
The High Availability functionality of Yugabyte Anywhere can be abused to write arbitrary files through the backup upload endpoint by using path traversal characters. This vulnerability is associated with program files PlatformReplicationManager.Java. This issue affects YugabyteDB Anywhere: from 2.0.0.0 through 2.13.0.0
Credit: security@yugabyte.com security@yugabyte.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| YugabyteDB Managed | >=2.0<=2.13 |
Remedy
Fixed in version 2.14 onwards .
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this YugaByte vulnerability?
The vulnerability ID for this YugaByte vulnerability is CVE-2023-0745.
What is the severity of CVE-2023-0745?
CVE-2023-0745 has a severity rating of 9.8 (Critical).
What is the affected software for CVE-2023-0745?
The affected software for CVE-2023-0745 is Yugabyte Managed version 2.0 through 2.13.
What is the CWE associated with CVE-2023-0745?
The CWE associated with CVE-2023-0745 are CWE-22 and CWE-23.
Is there a fix available for CVE-2023-0745?
Yes, fixing CVE-2023-0745 requires updating the affected Yugabyte Managed software to a version that addresses the vulnerability.
- agent/author
- agent/type
- agent/event
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/references
- agent/description
- agent/source
- agent/weakness
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- vendor/yugabyte
- canonical/yugabytedb managed
- version/yugabytedb managed/2.0
- version/yugabytedb managed/2.13