Search

Find a vulnerability

Search criteria

    12 vulnerabilities found for yugabytedb by yugabyte

    CVE-2024-41435 (GCVE-0-2024-41435)

    Vulnerability from nvd – Published: 2024-09-03 00:00 – Updated: 2024-09-03 20:15
    VLAI
    Summary
    YugabyteDB v2.21.1.0 was discovered to contain a buffer overflow via the "insert into" parameter.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    Assigner
    Impacted products
    Vendor Product Version
    yugabyte yugabytedb Affected: 2.21.1.0
        cpe:2.3:a:yugabyte:yugabytedb:2.21.1.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:yugabyte:yugabytedb:2.21.1.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "yugabytedb",
                "vendor": "yugabyte",
                "versions": [
                  {
                    "status": "affected",
                    "version": "2.21.1.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-41435",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-03T20:13:37.543021Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-120",
                    "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-03T20:15:08.289Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "YugabyteDB v2.21.1.0 was discovered to contain a buffer overflow via the \"insert into\" parameter."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-03T19:10:16.203Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/yugabyte/yugabyte-db/issues/22967"
            },
            {
              "url": "https://gist.github.com/ycybfhb/1427881e7db911786837d32b0669e06b"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-41435",
        "datePublished": "2024-09-03T00:00:00.000Z",
        "dateReserved": "2024-07-18T00:00:00.000Z",
        "dateUpdated": "2024-09-03T20:15:08.289Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6002 (GCVE-0-2023-6002)

    Vulnerability from nvd – Published: 2023-11-07 23:56 – Updated: 2024-09-17 13:03
    VLAI
    Title
    Log Injection
    Summary
    YugabyteDB is vulnerable to cross site scripting (XSS) via log injection. Writing invalidated user input to log files can allow an unprivileged attacker to forge log entries or inject malicious content into the logs.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-117 - Improper Output Neutralization for Logs
    Assigner
    References
    Impacted products
    Vendor Product Version
    YugabyteDB YugabyteDB Affected: 2.0.0.0 , ≤ 2.14.13.0, 2.16.7.0, 2.18.3.0 (semver)
    Unaffected: 2.14.14.0
    Unaffected: 2.16.8.0
    Unaffected: 2.18.4.0
    Create a notification for this product.
    Date Public
    2023-11-07 23:03
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:14:25.135Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6002",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-04T13:19:18.227681Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-17T13:03:18.141Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux",
                "Docker",
                "Kubernetes",
                "MacOS"
              ],
              "product": "YugabyteDB",
              "vendor": "YugabyteDB",
              "versions": [
                {
                  "lessThanOrEqual": "2.14.13.0, 2.16.7.0, 2.18.3.0",
                  "status": "affected",
                  "version": "2.0.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.14.14.0"
                },
                {
                  "status": "unaffected",
                  "version": "2.16.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "2.18.4.0"
                }
              ]
            }
          ],
          "datePublic": "2023-11-07T23:03:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eYugabyteDB is vulnerable to cross site scripting (XSS) via log injection.\u0026nbsp;Writing invalidated user input to log files can allow an unprivileged\u0026nbsp;attacker to forge log entries or inject malicious content into the logs.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "YugabyteDB is vulnerable to cross site scripting (XSS) via log injection.\u00a0Writing invalidated user input to log files can allow an unprivileged\u00a0attacker to forge log entries or inject malicious content into the logs.\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-93",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-93: Log Injection-Tampering-Forging"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-117",
                  "description": "CWE-117: Improper Output Neutralization for Logs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-09T19:18:33.398Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "url": "https://www.yugabyte.com/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Log Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2023-6002",
        "datePublished": "2023-11-07T23:56:50.729Z",
        "dateReserved": "2023-11-07T22:20:00.534Z",
        "dateUpdated": "2024-09-17T13:03:18.141Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6001 (GCVE-0-2023-6001)

    Vulnerability from nvd – Published: 2023-11-07 23:25 – Updated: 2024-09-17 13:03
    VLAI
    Title
    Prometheus Metrics Accessible Pre-Authentication
    Summary
    Prometheus metrics are available without authentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    YugabyteDB YugabyteDB Anywhere Affected: 2.0.0.0 , ≤ 2.18.3.0 (semver)
    Unaffected: 2.18.4.0
    Unaffected: 2.20.0.0
    Create a notification for this product.
    Date Public
    2023-11-07 23:03
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:14:25.143Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6001",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-04T13:20:00.460298Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-17T13:03:52.610Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux",
                "Docker",
                "Kubernetes"
              ],
              "product": "YugabyteDB Anywhere",
              "vendor": "YugabyteDB",
              "versions": [
                {
                  "lessThanOrEqual": "2.18.3.0",
                  "status": "affected",
                  "version": "2.0.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.18.4.0"
                },
                {
                  "status": "unaffected",
                  "version": "2.20.0.0"
                }
              ]
            }
          ],
          "datePublic": "2023-11-07T23:03:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Prometheus metrics are available without\nauthentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment."
                }
              ],
              "value": "Prometheus metrics are available without\nauthentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-09T19:19:02.713Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "url": "https://www.yugabyte.com/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Prometheus Metrics Accessible Pre-Authentication",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2023-6001",
        "datePublished": "2023-11-07T23:25:16.135Z",
        "dateReserved": "2023-11-07T22:19:55.387Z",
        "dateUpdated": "2024-09-17T13:03:52.610Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-4640 (GCVE-0-2023-4640)

    Vulnerability from nvd – Published: 2023-08-30 16:42 – Updated: 2024-10-01 18:31
    VLAI
    Title
    Set Logging Level Without Authentication
    Summary
    The controller responsible for setting the logging level does not include any authorization checks to ensure the user is authenticated. This can be seen by noting that it extends Controller rather than AuthenticatedController and includes no further checks. This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    YugabyteDB Anywhere Affected: 2.0.0 , ≤ 2.17.3 (2.17.3.0)
    Create a notification for this product.
    Date Public
    2023-08-30 16:42
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.630Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4640",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-01T18:31:41.822513Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-01T18:31:56.957Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Anywhere",
              "repo": "https://github.com/yugabyte/yugabyte-db",
              "vendor": "YugabyteDB",
              "versions": [
                {
                  "lessThanOrEqual": "2.17.3",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "2.17.3.0"
                }
              ]
            }
          ],
          "datePublic": "2023-08-30T16:42:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThe controller responsible for setting the logging level does not include any authorization\nchecks to ensure the user is authenticated. This can be seen by noting that it extends\n\u003c/span\u003e\u003cspan style=\"background-color: rgb(246, 246, 246);\"\u003eController \u003c/span\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003erather than \u003c/span\u003e\u003cspan style=\"background-color: rgb(246, 246, 246);\"\u003eAuthenticatedController \u003c/span\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eand includes no further checks.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThis issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "The controller responsible for setting the logging level does not include any authorization\nchecks to ensure the user is authenticated. This can be seen by noting that it extends\nController rather than AuthenticatedController and includes no further checks.\u00a0This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-30T16:42:45.242Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "url": "https://www.yugabyte.com/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Set Logging Level Without Authentication",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2023-4640",
        "datePublished": "2023-08-30T16:42:45.242Z",
        "dateReserved": "2023-08-30T16:41:56.711Z",
        "dateUpdated": "2024-10-01T18:31:56.957Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-0575 (GCVE-0-2023-0575)

    Vulnerability from nvd – Published: 2023-02-09 16:12 – Updated: 2025-03-24 18:34
    VLAI
    Title
    Remote Code Execution
    Summary
    External Control of Critical State Data, Improper Control of Generation of Code ('Code Injection') vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse. This vulnerability is associated with program files backup.Py. This issue affects Yugabyte DB: Lesser then 2.2.0.0
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-642 - External Control of Critical State Data
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    YugabyteDB YugabyteDB Affected: 2.0 , < 2.15 (2.0 to 2.14)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:17:49.883Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0575",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T17:33:06.055344Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T18:34:16.202Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "DevopsBase.java:execCommand",
                "TableManager.java:runCommand"
              ],
              "platforms": [
                "Linux",
                "Docker",
                "Kubernetes",
                "MacOS"
              ],
              "product": "YugabyteDB",
              "vendor": "YugabyteDB",
              "versions": [
                {
                  "lessThan": "2.15",
                  "status": "affected",
                  "version": "2.0",
                  "versionType": "2.0 to 2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "External Control of Critical State Data, Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003ebackup.Py\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects Yugabyte DB: Lesser then 2.2.0.0\u003c/p\u003e"
                }
              ],
              "value": "External Control of Critical State Data, Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse. This vulnerability is associated with program files backup.Py.\n\nThis issue affects Yugabyte DB: Lesser then 2.2.0.0\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-113",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-113 API Manipulation"
                }
              ]
            },
            {
              "capecId": "CAPEC-122",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-122 Privilege Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-642",
                  "description": "CWE-642: External Control of Critical State Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-10T22:22:52.652Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "url": "https://www.yugabyte.com/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Use Yugabyte version\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cb\u003e2.3.3.0-b106\u0026nbsp;\u003c/b\u003eor higher.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Use Yugabyte version\u00a02.3.3.0-b106\u00a0or higher.\n\n"
            }
          ],
          "source": {
            "defect": [
              "PLAT-3444"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Remote Code Execution",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn \u003c/span\u003e\u003ccode\u003eyugaware/config/configs\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e folder there is a file \u003c/span\u003e\u003ccode\u003eacceptableKeys.yaml\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e which contains a list of acceptable keys for different types of providers. Edit it and restart the Yugaware process to reload the list.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "In yugaware/config/configs folder there is a file acceptableKeys.yaml which contains a list of acceptable keys for different types of providers. Edit it and restart the Yugaware process to reload the list.\n"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2023-0575",
        "datePublished": "2023-02-09T16:12:46.327Z",
        "dateReserved": "2023-01-30T08:16:20.523Z",
        "dateUpdated": "2025-03-24T18:34:16.202Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-37397 (GCVE-0-2022-37397)

    Vulnerability from nvd – Published: 2022-08-12 18:01 – Updated: 2024-08-03 10:29
    VLAI
    Title
    The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft’s Active Directory
    Summary
    An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.
    CWE
    Assigner
    References
    URL Tags
    https://www.yugabyte.com/ x_refsource_CONFIRM
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:29:21.063Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "macos, darwin"
              ],
              "product": "Yugabyte DB",
              "vendor": "YugaByte, Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.6.1.0"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "value": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-16",
                  "description": "CWE-16 Configuration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-12T18:01:37.000Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.yugabyte.com/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to non-vulnerable version 2.6.1.1+"
            }
          ],
          "source": {
            "defect": [
              "PLAT-4383"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory",
          "workarounds": [
            {
              "lang": "en",
              "value": "Disable LDAP for YCQL."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@yugabyte.com",
              "ID": "CVE-2022-37397",
              "STATE": "PUBLIC",
              "TITLE": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yugabyte DB",
                          "version": {
                            "version_data": [
                              {
                                "platform": "macos, darwin",
                                "version_name": "2.6.1.0",
                                "version_value": "2.6.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "YugaByte, Inc."
                  }
                ]
              }
            },
            "configuration": [
              {
                "lang": "en",
                "value": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287 Improper Authentication"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-16 Configuration"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.yugabyte.com/",
                  "refsource": "CONFIRM",
                  "url": "https://www.yugabyte.com/"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to non-vulnerable version 2.6.1.1+"
              }
            ],
            "source": {
              "defect": [
                "PLAT-4383"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Disable LDAP for YCQL."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2022-37397",
        "datePublished": "2022-08-12T18:01:37.000Z",
        "dateReserved": "2022-08-03T00:00:00.000Z",
        "dateUpdated": "2024-08-03T10:29:21.063Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-41435 (GCVE-0-2024-41435)

    Vulnerability from cvelistv5 – Published: 2024-09-03 00:00 – Updated: 2024-09-03 20:15
    VLAI
    Summary
    YugabyteDB v2.21.1.0 was discovered to contain a buffer overflow via the "insert into" parameter.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    Assigner
    Impacted products
    Vendor Product Version
    yugabyte yugabytedb Affected: 2.21.1.0
        cpe:2.3:a:yugabyte:yugabytedb:2.21.1.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:yugabyte:yugabytedb:2.21.1.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "yugabytedb",
                "vendor": "yugabyte",
                "versions": [
                  {
                    "status": "affected",
                    "version": "2.21.1.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-41435",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-03T20:13:37.543021Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-120",
                    "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-03T20:15:08.289Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "YugabyteDB v2.21.1.0 was discovered to contain a buffer overflow via the \"insert into\" parameter."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-03T19:10:16.203Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/yugabyte/yugabyte-db/issues/22967"
            },
            {
              "url": "https://gist.github.com/ycybfhb/1427881e7db911786837d32b0669e06b"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-41435",
        "datePublished": "2024-09-03T00:00:00.000Z",
        "dateReserved": "2024-07-18T00:00:00.000Z",
        "dateUpdated": "2024-09-03T20:15:08.289Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6002 (GCVE-0-2023-6002)

    Vulnerability from cvelistv5 – Published: 2023-11-07 23:56 – Updated: 2024-09-17 13:03
    VLAI
    Title
    Log Injection
    Summary
    YugabyteDB is vulnerable to cross site scripting (XSS) via log injection. Writing invalidated user input to log files can allow an unprivileged attacker to forge log entries or inject malicious content into the logs.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-117 - Improper Output Neutralization for Logs
    Assigner
    References
    Impacted products
    Vendor Product Version
    YugabyteDB YugabyteDB Affected: 2.0.0.0 , ≤ 2.14.13.0, 2.16.7.0, 2.18.3.0 (semver)
    Unaffected: 2.14.14.0
    Unaffected: 2.16.8.0
    Unaffected: 2.18.4.0
    Create a notification for this product.
    Date Public
    2023-11-07 23:03
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:14:25.135Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6002",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-04T13:19:18.227681Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-17T13:03:18.141Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux",
                "Docker",
                "Kubernetes",
                "MacOS"
              ],
              "product": "YugabyteDB",
              "vendor": "YugabyteDB",
              "versions": [
                {
                  "lessThanOrEqual": "2.14.13.0, 2.16.7.0, 2.18.3.0",
                  "status": "affected",
                  "version": "2.0.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.14.14.0"
                },
                {
                  "status": "unaffected",
                  "version": "2.16.8.0"
                },
                {
                  "status": "unaffected",
                  "version": "2.18.4.0"
                }
              ]
            }
          ],
          "datePublic": "2023-11-07T23:03:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eYugabyteDB is vulnerable to cross site scripting (XSS) via log injection.\u0026nbsp;Writing invalidated user input to log files can allow an unprivileged\u0026nbsp;attacker to forge log entries or inject malicious content into the logs.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "YugabyteDB is vulnerable to cross site scripting (XSS) via log injection.\u00a0Writing invalidated user input to log files can allow an unprivileged\u00a0attacker to forge log entries or inject malicious content into the logs.\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-93",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-93: Log Injection-Tampering-Forging"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-117",
                  "description": "CWE-117: Improper Output Neutralization for Logs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-09T19:18:33.398Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "url": "https://www.yugabyte.com/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Log Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2023-6002",
        "datePublished": "2023-11-07T23:56:50.729Z",
        "dateReserved": "2023-11-07T22:20:00.534Z",
        "dateUpdated": "2024-09-17T13:03:18.141Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6001 (GCVE-0-2023-6001)

    Vulnerability from cvelistv5 – Published: 2023-11-07 23:25 – Updated: 2024-09-17 13:03
    VLAI
    Title
    Prometheus Metrics Accessible Pre-Authentication
    Summary
    Prometheus metrics are available without authentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    YugabyteDB YugabyteDB Anywhere Affected: 2.0.0.0 , ≤ 2.18.3.0 (semver)
    Unaffected: 2.18.4.0
    Unaffected: 2.20.0.0
    Create a notification for this product.
    Date Public
    2023-11-07 23:03
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:14:25.143Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6001",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-04T13:20:00.460298Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-17T13:03:52.610Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux",
                "Docker",
                "Kubernetes"
              ],
              "product": "YugabyteDB Anywhere",
              "vendor": "YugabyteDB",
              "versions": [
                {
                  "lessThanOrEqual": "2.18.3.0",
                  "status": "affected",
                  "version": "2.0.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.18.4.0"
                },
                {
                  "status": "unaffected",
                  "version": "2.20.0.0"
                }
              ]
            }
          ],
          "datePublic": "2023-11-07T23:03:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Prometheus metrics are available without\nauthentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment."
                }
              ],
              "value": "Prometheus metrics are available without\nauthentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-09T19:19:02.713Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "url": "https://www.yugabyte.com/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Prometheus Metrics Accessible Pre-Authentication",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2023-6001",
        "datePublished": "2023-11-07T23:25:16.135Z",
        "dateReserved": "2023-11-07T22:19:55.387Z",
        "dateUpdated": "2024-09-17T13:03:52.610Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-4640 (GCVE-0-2023-4640)

    Vulnerability from cvelistv5 – Published: 2023-08-30 16:42 – Updated: 2024-10-01 18:31
    VLAI
    Title
    Set Logging Level Without Authentication
    Summary
    The controller responsible for setting the logging level does not include any authorization checks to ensure the user is authenticated. This can be seen by noting that it extends Controller rather than AuthenticatedController and includes no further checks. This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    YugabyteDB Anywhere Affected: 2.0.0 , ≤ 2.17.3 (2.17.3.0)
    Create a notification for this product.
    Date Public
    2023-08-30 16:42
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.630Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4640",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-01T18:31:41.822513Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-01T18:31:56.957Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Anywhere",
              "repo": "https://github.com/yugabyte/yugabyte-db",
              "vendor": "YugabyteDB",
              "versions": [
                {
                  "lessThanOrEqual": "2.17.3",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "2.17.3.0"
                }
              ]
            }
          ],
          "datePublic": "2023-08-30T16:42:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThe controller responsible for setting the logging level does not include any authorization\nchecks to ensure the user is authenticated. This can be seen by noting that it extends\n\u003c/span\u003e\u003cspan style=\"background-color: rgb(246, 246, 246);\"\u003eController \u003c/span\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003erather than \u003c/span\u003e\u003cspan style=\"background-color: rgb(246, 246, 246);\"\u003eAuthenticatedController \u003c/span\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eand includes no further checks.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThis issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "The controller responsible for setting the logging level does not include any authorization\nchecks to ensure the user is authenticated. This can be seen by noting that it extends\nController rather than AuthenticatedController and includes no further checks.\u00a0This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-30T16:42:45.242Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "url": "https://www.yugabyte.com/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Set Logging Level Without Authentication",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2023-4640",
        "datePublished": "2023-08-30T16:42:45.242Z",
        "dateReserved": "2023-08-30T16:41:56.711Z",
        "dateUpdated": "2024-10-01T18:31:56.957Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-0575 (GCVE-0-2023-0575)

    Vulnerability from cvelistv5 – Published: 2023-02-09 16:12 – Updated: 2025-03-24 18:34
    VLAI
    Title
    Remote Code Execution
    Summary
    External Control of Critical State Data, Improper Control of Generation of Code ('Code Injection') vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse. This vulnerability is associated with program files backup.Py. This issue affects Yugabyte DB: Lesser then 2.2.0.0
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-642 - External Control of Critical State Data
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    YugabyteDB YugabyteDB Affected: 2.0 , < 2.15 (2.0 to 2.14)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:17:49.883Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0575",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T17:33:06.055344Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T18:34:16.202Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "DevopsBase.java:execCommand",
                "TableManager.java:runCommand"
              ],
              "platforms": [
                "Linux",
                "Docker",
                "Kubernetes",
                "MacOS"
              ],
              "product": "YugabyteDB",
              "vendor": "YugabyteDB",
              "versions": [
                {
                  "lessThan": "2.15",
                  "status": "affected",
                  "version": "2.0",
                  "versionType": "2.0 to 2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "External Control of Critical State Data, Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003ebackup.Py\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects Yugabyte DB: Lesser then 2.2.0.0\u003c/p\u003e"
                }
              ],
              "value": "External Control of Critical State Data, Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse. This vulnerability is associated with program files backup.Py.\n\nThis issue affects Yugabyte DB: Lesser then 2.2.0.0\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-113",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-113 API Manipulation"
                }
              ]
            },
            {
              "capecId": "CAPEC-122",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-122 Privilege Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-642",
                  "description": "CWE-642: External Control of Critical State Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-10T22:22:52.652Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "url": "https://www.yugabyte.com/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Use Yugabyte version\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cb\u003e2.3.3.0-b106\u0026nbsp;\u003c/b\u003eor higher.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Use Yugabyte version\u00a02.3.3.0-b106\u00a0or higher.\n\n"
            }
          ],
          "source": {
            "defect": [
              "PLAT-3444"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Remote Code Execution",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn \u003c/span\u003e\u003ccode\u003eyugaware/config/configs\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e folder there is a file \u003c/span\u003e\u003ccode\u003eacceptableKeys.yaml\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e which contains a list of acceptable keys for different types of providers. Edit it and restart the Yugaware process to reload the list.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "In yugaware/config/configs folder there is a file acceptableKeys.yaml which contains a list of acceptable keys for different types of providers. Edit it and restart the Yugaware process to reload the list.\n"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2023-0575",
        "datePublished": "2023-02-09T16:12:46.327Z",
        "dateReserved": "2023-01-30T08:16:20.523Z",
        "dateUpdated": "2025-03-24T18:34:16.202Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-37397 (GCVE-0-2022-37397)

    Vulnerability from cvelistv5 – Published: 2022-08-12 18:01 – Updated: 2024-08-03 10:29
    VLAI
    Title
    The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft’s Active Directory
    Summary
    An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.
    CWE
    Assigner
    References
    URL Tags
    https://www.yugabyte.com/ x_refsource_CONFIRM
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:29:21.063Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "macos, darwin"
              ],
              "product": "Yugabyte DB",
              "vendor": "YugaByte, Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.6.1.0"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "value": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-16",
                  "description": "CWE-16 Configuration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-12T18:01:37.000Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.yugabyte.com/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to non-vulnerable version 2.6.1.1+"
            }
          ],
          "source": {
            "defect": [
              "PLAT-4383"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory",
          "workarounds": [
            {
              "lang": "en",
              "value": "Disable LDAP for YCQL."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@yugabyte.com",
              "ID": "CVE-2022-37397",
              "STATE": "PUBLIC",
              "TITLE": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yugabyte DB",
                          "version": {
                            "version_data": [
                              {
                                "platform": "macos, darwin",
                                "version_name": "2.6.1.0",
                                "version_value": "2.6.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "YugaByte, Inc."
                  }
                ]
              }
            },
            "configuration": [
              {
                "lang": "en",
                "value": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287 Improper Authentication"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-16 Configuration"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.yugabyte.com/",
                  "refsource": "CONFIRM",
                  "url": "https://www.yugabyte.com/"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to non-vulnerable version 2.6.1.1+"
              }
            ],
            "source": {
              "defect": [
                "PLAT-4383"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Disable LDAP for YCQL."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2022-37397",
        "datePublished": "2022-08-12T18:01:37.000Z",
        "dateReserved": "2022-08-03T00:00:00.000Z",
        "dateUpdated": "2024-08-03T10:29:21.063Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }