Search criteria
6 vulnerabilities found for YugabyteDB Anywhere by YugabyteDB Inc
CVE-2026-1966 (GCVE-0-2026-1966)
Vulnerability from nvd – Published: 2026-02-05 11:38 – Updated: 2026-02-05 14:18
VLAI?
Title
YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI
Summary
YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.
Severity ?
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YugabyteDB Inc | YugabyteDB Anywhere |
Affected:
2025.1.0.0 , < 2025.1.1.0
(custom)
Affected: 2024.2.0.0 , < 2024.2.6.0 (custom) Unaffected: 2025.2.0.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T14:18:27.232841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T14:18:33.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "yugaware",
"platforms": [
"Linux"
],
"product": "YugabyteDB Anywhere",
"repo": "https://github.com/yugabyte/yugabyte-db/",
"vendor": "YugabyteDB Inc",
"versions": [
{
"lessThan": "2025.1.1.0",
"status": "affected",
"version": "2025.1.0.0",
"versionType": "custom"
},
{
"lessThan": "2024.2.6.0",
"status": "affected",
"version": "2024.2.0.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2025.2.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services."
}
],
"impacts": [
{
"capecId": "CAPEC-118",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-118 Data Leakage Attacks"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "PHYSICAL",
"baseScore": 2.4,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T11:38:28.291Z",
"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
"shortName": "Yugabyte"
},
"references": [
{
"url": "https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/"
}
],
"source": {
"defect": [
"PLAT-18069"
],
"discovery": "INTERNAL"
},
"title": "YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
"assignerShortName": "Yugabyte",
"cveId": "CVE-2026-1966",
"datePublished": "2026-02-05T11:38:28.291Z",
"dateReserved": "2026-02-05T11:27:51.783Z",
"dateUpdated": "2026-02-05T14:18:33.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8866 (GCVE-0-2025-8866)
Vulnerability from nvd – Published: 2025-08-11 16:25 – Updated: 2025-08-11 17:11
VLAI?
Summary
YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YugabyteDB Inc | YugabyteDB Anywhere |
Unaffected:
2025.*
(custom)
Affected: 2024.* (custom) Affected: 2.20.* (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8866",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T17:09:08.950482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T17:11:02.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "yugaware",
"platforms": [
"Linux",
"MacOS",
"ARM",
"x86"
],
"product": "YugabyteDB Anywhere",
"vendor": "YugabyteDB Inc",
"versions": [
{
"status": "unaffected",
"version": "2025.*",
"versionType": "custom"
},
{
"status": "affected",
"version": "2024.*",
"versionType": "custom"
},
{
"status": "affected",
"version": "2.20.*",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "YugabyteDB Anywhere web server does not properly enforce authentication for the \u003ccode\u003e/metamaster/universe\u003c/code\u003e API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records."
}
],
"value": "YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T16:25:35.897Z",
"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
"shortName": "Yugabyte"
},
"references": [
{
"url": "https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/"
}
],
"source": {
"defect": [
"PLAT-16733"
],
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
"assignerShortName": "Yugabyte",
"cveId": "CVE-2025-8866",
"datePublished": "2025-08-11T16:25:35.897Z",
"dateReserved": "2025-08-11T13:30:57.192Z",
"dateUpdated": "2025-08-11T17:11:02.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8864 (GCVE-0-2025-8864)
Vulnerability from nvd – Published: 2025-08-11 13:30 – Updated: 2025-08-11 15:05
VLAI?
Summary
Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs
Severity ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YugabyteDB Inc | YugabyteDB Anywhere |
Unaffected:
2.20.0.0 , < 2.20.7.0
(custom)
Affected: 2.23.0.0 , < 2.23.1.0 (custom) Affected: 2024.1.0.0 , < 2024.1.3.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T15:05:31.937000Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T15:05:42.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "yugaware",
"platforms": [
"MacOS",
"Linux",
"x86",
"ARM"
],
"product": "YugabyteDB Anywhere",
"vendor": "YugabyteDB Inc",
"versions": [
{
"lessThan": "2.20.7.0",
"status": "unaffected",
"version": "2.20.0.0",
"versionType": "custom"
},
{
"lessThan": "2.23.1.0",
"status": "affected",
"version": "2.23.0.0",
"versionType": "custom"
},
{
"lessThan": "2024.1.3.0",
"status": "affected",
"version": "2024.1.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eShared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs"
}
],
"impacts": [
{
"capecId": "CAPEC-215",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-215 Fuzzing for application mapping"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T13:30:09.039Z",
"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
"shortName": "Yugabyte"
},
"references": [
{
"url": "https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/"
}
],
"source": {
"defect": [
"PLAT-14788"
],
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
"assignerShortName": "Yugabyte",
"cveId": "CVE-2025-8864",
"datePublished": "2025-08-11T13:30:09.039Z",
"dateReserved": "2025-08-11T13:05:50.185Z",
"dateUpdated": "2025-08-11T15:05:42.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-1966 (GCVE-0-2026-1966)
Vulnerability from cvelistv5 – Published: 2026-02-05 11:38 – Updated: 2026-02-05 14:18
VLAI?
Title
YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI
Summary
YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.
Severity ?
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YugabyteDB Inc | YugabyteDB Anywhere |
Affected:
2025.1.0.0 , < 2025.1.1.0
(custom)
Affected: 2024.2.0.0 , < 2024.2.6.0 (custom) Unaffected: 2025.2.0.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T14:18:27.232841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T14:18:33.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "yugaware",
"platforms": [
"Linux"
],
"product": "YugabyteDB Anywhere",
"repo": "https://github.com/yugabyte/yugabyte-db/",
"vendor": "YugabyteDB Inc",
"versions": [
{
"lessThan": "2025.1.1.0",
"status": "affected",
"version": "2025.1.0.0",
"versionType": "custom"
},
{
"lessThan": "2024.2.6.0",
"status": "affected",
"version": "2024.2.0.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2025.2.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services."
}
],
"impacts": [
{
"capecId": "CAPEC-118",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-118 Data Leakage Attacks"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "PHYSICAL",
"baseScore": 2.4,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T11:38:28.291Z",
"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
"shortName": "Yugabyte"
},
"references": [
{
"url": "https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/"
}
],
"source": {
"defect": [
"PLAT-18069"
],
"discovery": "INTERNAL"
},
"title": "YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
"assignerShortName": "Yugabyte",
"cveId": "CVE-2026-1966",
"datePublished": "2026-02-05T11:38:28.291Z",
"dateReserved": "2026-02-05T11:27:51.783Z",
"dateUpdated": "2026-02-05T14:18:33.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8866 (GCVE-0-2025-8866)
Vulnerability from cvelistv5 – Published: 2025-08-11 16:25 – Updated: 2025-08-11 17:11
VLAI?
Summary
YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YugabyteDB Inc | YugabyteDB Anywhere |
Unaffected:
2025.*
(custom)
Affected: 2024.* (custom) Affected: 2.20.* (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8866",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T17:09:08.950482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T17:11:02.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "yugaware",
"platforms": [
"Linux",
"MacOS",
"ARM",
"x86"
],
"product": "YugabyteDB Anywhere",
"vendor": "YugabyteDB Inc",
"versions": [
{
"status": "unaffected",
"version": "2025.*",
"versionType": "custom"
},
{
"status": "affected",
"version": "2024.*",
"versionType": "custom"
},
{
"status": "affected",
"version": "2.20.*",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "YugabyteDB Anywhere web server does not properly enforce authentication for the \u003ccode\u003e/metamaster/universe\u003c/code\u003e API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records."
}
],
"value": "YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T16:25:35.897Z",
"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
"shortName": "Yugabyte"
},
"references": [
{
"url": "https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/"
}
],
"source": {
"defect": [
"PLAT-16733"
],
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
"assignerShortName": "Yugabyte",
"cveId": "CVE-2025-8866",
"datePublished": "2025-08-11T16:25:35.897Z",
"dateReserved": "2025-08-11T13:30:57.192Z",
"dateUpdated": "2025-08-11T17:11:02.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8864 (GCVE-0-2025-8864)
Vulnerability from cvelistv5 – Published: 2025-08-11 13:30 – Updated: 2025-08-11 15:05
VLAI?
Summary
Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs
Severity ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YugabyteDB Inc | YugabyteDB Anywhere |
Unaffected:
2.20.0.0 , < 2.20.7.0
(custom)
Affected: 2.23.0.0 , < 2.23.1.0 (custom) Affected: 2024.1.0.0 , < 2024.1.3.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T15:05:31.937000Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T15:05:42.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "yugaware",
"platforms": [
"MacOS",
"Linux",
"x86",
"ARM"
],
"product": "YugabyteDB Anywhere",
"vendor": "YugabyteDB Inc",
"versions": [
{
"lessThan": "2.20.7.0",
"status": "unaffected",
"version": "2.20.0.0",
"versionType": "custom"
},
{
"lessThan": "2.23.1.0",
"status": "affected",
"version": "2.23.0.0",
"versionType": "custom"
},
{
"lessThan": "2024.1.3.0",
"status": "affected",
"version": "2024.1.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eShared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs"
}
],
"impacts": [
{
"capecId": "CAPEC-215",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-215 Fuzzing for application mapping"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T13:30:09.039Z",
"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
"shortName": "Yugabyte"
},
"references": [
{
"url": "https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/"
}
],
"source": {
"defect": [
"PLAT-14788"
],
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
"assignerShortName": "Yugabyte",
"cveId": "CVE-2025-8864",
"datePublished": "2025-08-11T13:30:09.039Z",
"dateReserved": "2025-08-11T13:05:50.185Z",
"dateUpdated": "2025-08-11T15:05:42.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}