Page 2 of 294 results (0.002 seconds)

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

CubeFS is an open-source cloud-native file storage system. A vulnerability was found in CubeFS prior to version 3.3.1 that could allow users to read sensitive data from the logs which could allow them escalate privileges. CubeFS leaks configuration keys in plaintext format in the logs. These keys could allow anyone to carry out operations on blobs that they otherwise do not have permissions for. For example, an attacker that has succesfully retrieved a secret key from the logs can delete blogs from the blob store. • https://github.com/cubefs/cubefs/commit/972f0275ee8d5dbba4b1530da7c145c269b31ef5 https://github.com/cubefs/cubefs/security/advisories/GHSA-8h2x-gr2c-c275 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the “accessKey”. To create the "accesKey", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. • https://github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07ba https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm • CWE-330: Use of Insufficiently Random Values •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. • https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398 • CWE-203: Observable Discrepancy •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

CubeFS is an open-source cloud-native file storage system. A security vulnerability was found in CubeFS HandlerNode in versions prior to 3.3.1 that could allow authenticated users to send maliciously-crafted requests that would crash the ObjectNode and deny other users from using it. The root cause was improper handling of incoming HTTP requests that could allow an attacker to control the ammount of memory that the ObjectNode would allocate. A malicious request could make the ObjectNode allocate more memory that the machine had available, and the attacker could exhaust memory by way of a single malicious request. An attacker would need to be authenticated in order to invoke the vulnerable code with their malicious request and have permissions to delete objects. • https://github.com/cubefs/cubefs/commit/dd46c24873c8f3df48d0a598b704ef9bd24b1ec1 https://github.com/cubefs/cubefs/security/advisories/GHSA-qc6v-g3xw-grmx • CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 6.7EPSS: 0%CPEs: 40EXPL: 0

In aee, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07909204; Issue ID: ALPS07909204. En aee, existe una posible escalada de privilegios debido a la falta de una verificación de permisos. • https://corp.mediatek.com/product-security-bulletin/December-2023 • CWE-862: Missing Authorization •