Lucene search

YugabyteCVELIST:CVE-2023-6002

HistoryNov 07, 2023 - 11:56 p.m.

CVE-2023-6002 Log Injection

2023-11-0723:56:50

CWE-117

Yugabyte

www.cve.org

yugabytedb

log injection

cve-2023-6002

cross site scripting

log files

unprivileged attacker

malicious content

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

YugabyteDB is vulnerable to cross site scripting (XSS) via log injection. Writing invalidated user input to log files can allow an unprivileged attacker to forge log entries or inject malicious content into the logs.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Linux",
      "Docker",
      "Kubernetes",
      "MacOS"
    ],
    "product": "YugabyteDB",
    "vendor": "YugabyteDB",
    "versions": [
      {
        "lessThanOrEqual": "2.14.13.0, 2.16.7.0, 2.18.3.0",
        "status": "affected",
        "version": "2.0.0.0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "2.14.14.0"
      },
      {
        "status": "unaffected",
        "version": "2.16.8.0"
      },
      {
        "status": "unaffected",
        "version": "2.18.4.0"
      }
    ]
  }
]

References

www.yugabyte.com/

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for CVELIST:CVE-2023-6002