CVE-2023-46739: Timing attack can leak user passwords
First published: Wed Jan 03 2024(Updated: )
A vulnerability was found during in the CubeFS master component that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. CubeFS has not seen any evidence of this being exploited in the wild. The vulnerability was found during a security audit conducted by [Ada Logics](https://adalogics.com/) in collaboration with [OSTIF](https://ostif.org/) and the [CNCF](https://www.cncf.io/). The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/cubefs/cubefs | <3.3.1 | 3.3.1 |
| Linux Foundation CubeFS | <3.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398
- https://github.com/cubefs/cubefs/commit/c21d034d2fcd051ffd64afeafc68cbcb39d26551
- https://nvd.nist.gov/vuln/detail/CVE-2023-46739
- https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd
- https://github.com/advisories/GHSA-8579-7p32-f398 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2023-46739?
CVE-2023-46739 has a high severity rating due to the potential for password theft through timing attacks.
How do I fix CVE-2023-46739?
To fix CVE-2023-46739, upgrade your CubeFS version to 3.3.1 or later, where the vulnerability is addressed.
What causes CVE-2023-46739?
CVE-2023-46739 is caused by CubeFS using raw string comparison for password validation, making it susceptible to timing attacks.
Which versions of CubeFS are affected by CVE-2023-46739?
CVE-2023-46739 affects CubeFS versions prior to 3.3.1.
Can CVE-2023-46739 impact user data privacy?
Yes, CVE-2023-46739 can significantly impact user data privacy by allowing attackers to potentially steal passwords.
- agent/author
- agent/first-publish-date
- agent/type
- agent/remedy
- agent/severity
- agent/title
- agent/weakness
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8579-7p32-f398
- alias/CVE-2023-46739
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/go
- vendor/linuxfoundation
- canonical/linux foundation cubefs