CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46742 – CubeFS leaks users key in logs
https://notcve.org/view.php?id=CVE-2023-46742
03 Jan 2024 — CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. • https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46741 – CubeFS leaks magic secret key when starting Blobstore access service
https://notcve.org/view.php?id=CVE-2023-46741
03 Jan 2024 — CubeFS is an open-source cloud-native file storage system. A vulnerability was found in CubeFS prior to version 3.3.1 that could allow users to read sensitive data from the logs which could allow them escalate privileges. CubeFS leaks configuration keys in plaintext format in the logs. These keys could allow anyone to carry out operations on blobs that they otherwise do not have permissions for. For example, an attacker that has succesfully retrieved a secret key from the logs can delete blogs from the blob... • https://github.com/cubefs/cubefs/commit/972f0275ee8d5dbba4b1530da7c145c269b31ef5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46740 – Insecure random string generator used for sensitive data
https://notcve.org/view.php?id=CVE-2023-46740
03 Jan 2024 — CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the “accessKey”. To create the "accesKey", CubeFS uses an i... • https://github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07ba • CWE-330: Use of Insufficiently Random Values •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46739 – Timing attack can leak user passwords
https://notcve.org/view.php?id=CVE-2023-46739
03 Jan 2024 — CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. • https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd • CWE-203: Observable Discrepancy •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46738 – Authenticated users can crash the CubeFS servers with maliciously crafted requests
https://notcve.org/view.php?id=CVE-2023-46738
03 Jan 2024 — CubeFS is an open-source cloud-native file storage system. A security vulnerability was found in CubeFS HandlerNode in versions prior to 3.3.1 that could allow authenticated users to send maliciously-crafted requests that would crash the ObjectNode and deny other users from using it. The root cause was improper handling of incoming HTTP requests that could allow an attacker to control the ammount of memory that the ObjectNode would allocate. A malicious request could make the ObjectNode allocate more memory... • https://github.com/cubefs/cubefs/commit/dd46c24873c8f3df48d0a598b704ef9bd24b1ec1 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30512
https://notcve.org/view.php?id=CVE-2023-30512
12 Apr 2023 — CubeFS through 3.2.1 allows Kubernetes cluster-level privilege escalation. This occurs because DaemonSet has cfs-csi-cluster-role and can thus list all secrets, including the admin secret. • https://github.com/cubefs/cubefs/issues/1882 • CWE-732: Incorrect Permission Assignment for Critical Resource •