CVE-2023-46740

low-risk

Published 2024-01-03

CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the “accessKey”. To create the "accesKey", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. An attacker could leverage the predictable random string generator and guess a users access key and impersonate the user to obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to upgrade.

Do I need to act?

0.07% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Cubefs

Affected Vendors

Linuxfoundation

References (4)

Patch https://github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07ba

Third Party Advisory https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm

Patch https://github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07ba

Third Party Advisory https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm

/ 100

low-risk

Severity 20/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal