Home > Vulnerability Database > CVE-2023-46739

Mend.io Vulnerability Database

CVE-2023-46739

Good to know:

Date: January 3, 2024

CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.

Language: Go

Severity Score

6.5

Related Resources (6)

Url: https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398

Url: https://github.com/cubefs/cubefs/commit/c21d034d2fcd051ffd64afeafc68cbcb39d26551

Url: https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd

Url: https://github.com/cubefs/cubefs

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-46739

Url: https://www.mend.io/vulnerability-database/CVE-2023-46739

Severity Score

6.5

Weakness Type (CWE)

Observable Discrepancy

CWE-203

Top Fix

Upgrade Version

Upgrade to version github.com/cubefs/cubefs - v3.3.1

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-46739

Good to know:

Date: January 3, 2024

Language: Go

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?