Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for YugabyteDB by YugabyteDB

    CVE-2023-6002 (GCVE-0-2023-6002)

    Vulnerability from nvd – Published: 2023-11-07 23:56 – Updated: 2024-09-17 13:03
    VLAI
    Title
    Log Injection
    Summary
    YugabyteDB is vulnerable to cross site scripting (XSS) via log injection. Writing invalidated user input to log files can allow an unprivileged attacker to forge log entries or inject malicious content into the logs.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-117 - Improper Output Neutralization for Logs
    Assigner
    References
    Impacted products
    Vendor Product Version
    YugabyteDB YugabyteDB Affected: 2.0.0.0 , ≤ 2.14.13.0, 2.16.7.0, 2.18.3.0 (semver)
    Unaffected: 2.14.14.0
    Unaffected: 2.16.8.0
    Unaffected: 2.18.4.0
    Create a notification for this product.
    Date Public
    2023-11-07 23:03
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:14:25.135Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6002",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-04T13:19:18.227681Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-17T13:03:18.141Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux",
                "Docker",
                "Kubernetes",
                "MacOS"
              ],
              "product": "YugabyteDB",
              "vendor": "YugabyteDB",
              "versions": [
                {
                  "lessThanOrEqual": "2.14.13.0, 2.16.7.0, 2.18.3.0",
                  "status": "affected",
                  "version": "2.0.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.14.14.0"
                },
                {
                  "status": "unaffected",
                  "version": "2.16.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "2.18.4.0"
                }
              ]
            }
          ],
          "datePublic": "2023-11-07T23:03:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eYugabyteDB is vulnerable to cross site scripting (XSS) via log injection.\u0026nbsp;Writing invalidated user input to log files can allow an unprivileged\u0026nbsp;attacker to forge log entries or inject malicious content into the logs.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "YugabyteDB is vulnerable to cross site scripting (XSS) via log injection.\u00a0Writing invalidated user input to log files can allow an unprivileged\u00a0attacker to forge log entries or inject malicious content into the logs.\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-93",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-93: Log Injection-Tampering-Forging"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-117",
                  "description": "CWE-117: Improper Output Neutralization for Logs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-09T19:18:33.398Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "url": "https://www.yugabyte.com/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Log Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2023-6002",
        "datePublished": "2023-11-07T23:56:50.729Z",
        "dateReserved": "2023-11-07T22:20:00.534Z",
        "dateUpdated": "2024-09-17T13:03:18.141Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-0575 (GCVE-0-2023-0575)

    Vulnerability from nvd – Published: 2023-02-09 16:12 – Updated: 2025-03-24 18:34
    VLAI
    Title
    Remote Code Execution
    Summary
    External Control of Critical State Data, Improper Control of Generation of Code ('Code Injection') vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse. This vulnerability is associated with program files backup.Py. This issue affects Yugabyte DB: Lesser then 2.2.0.0
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-642 - External Control of Critical State Data
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    YugabyteDB YugabyteDB Affected: 2.0 , < 2.15 (2.0 to 2.14)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:17:49.883Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0575",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T17:33:06.055344Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T18:34:16.202Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "DevopsBase.java:execCommand",
                "TableManager.java:runCommand"
              ],
              "platforms": [
                "Linux",
                "Docker",
                "Kubernetes",
                "MacOS"
              ],
              "product": "YugabyteDB",
              "vendor": "YugabyteDB",
              "versions": [
                {
                  "lessThan": "2.15",
                  "status": "affected",
                  "version": "2.0",
                  "versionType": "2.0 to 2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "External Control of Critical State Data, Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003ebackup.Py\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects Yugabyte DB: Lesser then 2.2.0.0\u003c/p\u003e"
                }
              ],
              "value": "External Control of Critical State Data, Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse. This vulnerability is associated with program files backup.Py.\n\nThis issue affects Yugabyte DB: Lesser then 2.2.0.0\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-113",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-113 API Manipulation"
                }
              ]
            },
            {
              "capecId": "CAPEC-122",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-122 Privilege Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-642",
                  "description": "CWE-642: External Control of Critical State Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-10T22:22:52.652Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "url": "https://www.yugabyte.com/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Use Yugabyte version\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cb\u003e2.3.3.0-b106\u0026nbsp;\u003c/b\u003eor higher.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Use Yugabyte version\u00a02.3.3.0-b106\u00a0or higher.\n\n"
            }
          ],
          "source": {
            "defect": [
              "PLAT-3444"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Remote Code Execution",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn \u003c/span\u003e\u003ccode\u003eyugaware/config/configs\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e folder there is a file \u003c/span\u003e\u003ccode\u003eacceptableKeys.yaml\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e which contains a list of acceptable keys for different types of providers. Edit it and restart the Yugaware process to reload the list.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "In yugaware/config/configs folder there is a file acceptableKeys.yaml which contains a list of acceptable keys for different types of providers. Edit it and restart the Yugaware process to reload the list.\n"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2023-0575",
        "datePublished": "2023-02-09T16:12:46.327Z",
        "dateReserved": "2023-01-30T08:16:20.523Z",
        "dateUpdated": "2025-03-24T18:34:16.202Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6002 (GCVE-0-2023-6002)

    Vulnerability from cvelistv5 – Published: 2023-11-07 23:56 – Updated: 2024-09-17 13:03
    VLAI
    Title
    Log Injection
    Summary
    YugabyteDB is vulnerable to cross site scripting (XSS) via log injection. Writing invalidated user input to log files can allow an unprivileged attacker to forge log entries or inject malicious content into the logs.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-117 - Improper Output Neutralization for Logs
    Assigner
    References
    Impacted products
    Vendor Product Version
    YugabyteDB YugabyteDB Affected: 2.0.0.0 , ≤ 2.14.13.0, 2.16.7.0, 2.18.3.0 (semver)
    Unaffected: 2.14.14.0
    Unaffected: 2.16.8.0
    Unaffected: 2.18.4.0
    Create a notification for this product.
    Date Public
    2023-11-07 23:03
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:14:25.135Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6002",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-04T13:19:18.227681Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-17T13:03:18.141Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux",
                "Docker",
                "Kubernetes",
                "MacOS"
              ],
              "product": "YugabyteDB",
              "vendor": "YugabyteDB",
              "versions": [
                {
                  "lessThanOrEqual": "2.14.13.0, 2.16.7.0, 2.18.3.0",
                  "status": "affected",
                  "version": "2.0.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.14.14.0"
                },
                {
                  "status": "unaffected",
                  "version": "2.16.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "2.18.4.0"
                }
              ]
            }
          ],
          "datePublic": "2023-11-07T23:03:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eYugabyteDB is vulnerable to cross site scripting (XSS) via log injection.\u0026nbsp;Writing invalidated user input to log files can allow an unprivileged\u0026nbsp;attacker to forge log entries or inject malicious content into the logs.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "YugabyteDB is vulnerable to cross site scripting (XSS) via log injection.\u00a0Writing invalidated user input to log files can allow an unprivileged\u00a0attacker to forge log entries or inject malicious content into the logs.\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-93",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-93: Log Injection-Tampering-Forging"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-117",
                  "description": "CWE-117: Improper Output Neutralization for Logs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-09T19:18:33.398Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "url": "https://www.yugabyte.com/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Log Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2023-6002",
        "datePublished": "2023-11-07T23:56:50.729Z",
        "dateReserved": "2023-11-07T22:20:00.534Z",
        "dateUpdated": "2024-09-17T13:03:18.141Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-0575 (GCVE-0-2023-0575)

    Vulnerability from cvelistv5 – Published: 2023-02-09 16:12 – Updated: 2025-03-24 18:34
    VLAI
    Title
    Remote Code Execution
    Summary
    External Control of Critical State Data, Improper Control of Generation of Code ('Code Injection') vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse. This vulnerability is associated with program files backup.Py. This issue affects Yugabyte DB: Lesser then 2.2.0.0
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-642 - External Control of Critical State Data
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    YugabyteDB YugabyteDB Affected: 2.0 , < 2.15 (2.0 to 2.14)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:17:49.883Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0575",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T17:33:06.055344Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T18:34:16.202Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "DevopsBase.java:execCommand",
                "TableManager.java:runCommand"
              ],
              "platforms": [
                "Linux",
                "Docker",
                "Kubernetes",
                "MacOS"
              ],
              "product": "YugabyteDB",
              "vendor": "YugabyteDB",
              "versions": [
                {
                  "lessThan": "2.15",
                  "status": "affected",
                  "version": "2.0",
                  "versionType": "2.0 to 2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "External Control of Critical State Data, Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003ebackup.Py\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects Yugabyte DB: Lesser then 2.2.0.0\u003c/p\u003e"
                }
              ],
              "value": "External Control of Critical State Data, Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse. This vulnerability is associated with program files backup.Py.\n\nThis issue affects Yugabyte DB: Lesser then 2.2.0.0\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-113",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-113 API Manipulation"
                }
              ]
            },
            {
              "capecId": "CAPEC-122",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-122 Privilege Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-642",
                  "description": "CWE-642: External Control of Critical State Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-10T22:22:52.652Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "url": "https://www.yugabyte.com/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Use Yugabyte version\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cb\u003e2.3.3.0-b106\u0026nbsp;\u003c/b\u003eor higher.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Use Yugabyte version\u00a02.3.3.0-b106\u00a0or higher.\n\n"
            }
          ],
          "source": {
            "defect": [
              "PLAT-3444"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Remote Code Execution",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn \u003c/span\u003e\u003ccode\u003eyugaware/config/configs\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e folder there is a file \u003c/span\u003e\u003ccode\u003eacceptableKeys.yaml\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e which contains a list of acceptable keys for different types of providers. Edit it and restart the Yugaware process to reload the list.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "In yugaware/config/configs folder there is a file acceptableKeys.yaml which contains a list of acceptable keys for different types of providers. Edit it and restart the Yugaware process to reload the list.\n"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2023-0575",
        "datePublished": "2023-02-09T16:12:46.327Z",
        "dateReserved": "2023-01-30T08:16:20.523Z",
        "dateUpdated": "2025-03-24T18:34:16.202Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }