CVE-2023-4640

2023-08-3017:15:11

CWE-284

[email protected]

web.nvd.nist.gov

cve-2023-4640

authorization checks

logging level

security vulnerability

yugabytedb anywhere

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

37.3%

JSON

The controller responsible for setting the logging level does not include any authorization
checks to ensure the user is authenticated. This can be seen by noting that it extends
Controller rather than AuthenticatedController and includes no further checks. This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3

Affected configurations

NVD

Node

yugabyteyugabytedbRange2.0.0–2.17.3.0

CPENameOperatorVersion
yugabyte:yugabytedbyugabyte yugabytedble2.17.3.0

CPE	Name	Operator	Version
yugabyte:yugabytedb	yugabyte yugabytedb	le	2.17.3.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Anywhere",
    "repo": "https://github.com/yugabyte/yugabyte-db",
    "vendor": "YugabyteDB",
    "versions": [
      {
        "lessThanOrEqual": "2.17.3",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "2.17.3.0"
      }
    ]
  }
]