What is the severity of CVE-2023-46742?

CVE-2023-46742 has been categorized as a security vulnerability that can impact data confidentiality.

How do I fix CVE-2023-46742?

To fix CVE-2023-46742, upgrade CubeFS to version 3.3.1 or later.

What components of CubeFS are affected by CVE-2023-46742?

CVE-2023-46742 affects multiple components of CubeFS where secret keys and access keys are logged.

What information is leaked in CVE-2023-46742?

CVE-2023-46742 results in the leakage of users' secret keys and access keys in the logs.

Who is at risk from CVE-2023-46742?

Lower-privileged users may exploit CVE-2023-46742 to gain access to sensitive information such as secret keys.

Vulnerability/
CVE-2023-46742

medium

6.5

CWE

532

3/1/2024

7/8/2024

CVE-2023-46742: CubeFS leaks users key in logs

First published: Wed Jan 03 2024(Updated: )

CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
go/github.com/cubefs/cubefs	<3.3.1	3.3.1
Linux Foundation CubeFS	<3.3.1

Remedy

https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-46742?
CVE-2023-46742 has been categorized as a security vulnerability that can impact data confidentiality.
How do I fix CVE-2023-46742?
To fix CVE-2023-46742, upgrade CubeFS to version 3.3.1 or later.
What components of CubeFS are affected by CVE-2023-46742?
CVE-2023-46742 affects multiple components of CubeFS where secret keys and access keys are logged.
What information is leaked in CVE-2023-46742?
CVE-2023-46742 results in the leakage of users' secret keys and access keys in the logs.
Who is at risk from CVE-2023-46742?
Lower-privileged users may exploit CVE-2023-46742 to gain access to sensitive information such as secret keys.

agent/references
agent/type
agent/first-publish-date
agent/severity
agent/remedy
agent/title
agent/weakness
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/description
collector/github-advisory-latest
source/GitHub
alias/GHSA-vwch-g97w-hfg2
alias/CVE-2023-46742
agent/software-canonical-lookup
agent/last-modified-date
agent/event
collector/github-advisory
agent/trending
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-cve
agent/author
package-manager/go
vendor/linuxfoundation
canonical/linux foundation cubefs

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.