CVE-2023-4640: Set Logging Level Without Authentication
First published: Wed Aug 30 2023(Updated: )
The controller responsible for setting the logging level does not include any authorization checks to ensure the user is authenticated. This can be seen by noting that it extends Controller rather than AuthenticatedController and includes no further checks. This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3
Credit: security@yugabyte.com security@yugabyte.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Yugabyte YugabyteDB | >=2.0.0<=2.17.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-4640?
CVE-2023-4640 is a vulnerability in YugabyteDB Anywhere that allows unauthorized users to set the logging level.
What is the severity of CVE-2023-4640?
CVE-2023-4640 has a severity rating of 7.5 (high).
How does CVE-2023-4640 affect YugabyteDB Anywhere?
CVE-2023-4640 affects YugabyteDB Anywhere versions 2.0.0 to 2.17.3.0.
How can unauthorized users exploit CVE-2023-4640?
Unauthorized users can exploit CVE-2023-4640 by setting the logging level without proper authorization checks.
Is there a fix for CVE-2023-4640?
To fix CVE-2023-4640, users should apply the latest updates and patches provided by YugabyteDB.
- agent/author
- agent/type
- agent/weakness
- agent/references
- agent/severity
- agent/title
- agent/description
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/yugabyte
- canonical/yugabyte yugabytedb
- version/yugabyte yugabytedb/2.0.0
- version/yugabyte yugabytedb/2.17.3.0