Home > Vulnerability Database > CVE-2023-46739

Mend.io Vulnerability Database

CVE-2023-46739

Good to know:

Date: January 3, 2024

CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.

Language: Go

Severity Score

5.9

Related Resources (4)

Url: https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398

Url: https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-46739

Url: https://www.mend.io/vulnerability-database/CVE-2023-46739

Severity Score

5.9

Weakness Type (CWE)

Observable Discrepancy

CWE-203

Top Fix

Upgrade Version

Upgrade to version v3.3.1

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-46739

Good to know:

Date: January 3, 2024

Language: Go

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?