Lucene search

YugabyteCVELIST:CVE-2023-4640

HistoryAug 30, 2023 - 4:42 p.m.

CVE-2023-4640 Set Logging Level Without Authentication

2023-08-3016:42:45

CWE-284

Yugabyte

www.cve.org

cve-2023-4640

logging level

authentication bypass

yugabytedb anywhere

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

37.3%

JSON

The controller responsible for setting the logging level does not include any authorization
checks to ensure the user is authenticated. This can be seen by noting that it extends
Controller rather than AuthenticatedController and includes no further checks. This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Anywhere",
    "repo": "https://github.com/yugabyte/yugabyte-db",
    "vendor": "YugabyteDB",
    "versions": [
      {
        "lessThanOrEqual": "2.17.3",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "2.17.3.0"
      }
    ]
  }
]

References

www.yugabyte.com/

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

37.3%

JSON

Related for CVELIST:CVE-2023-4640