Vulnerability-Lookup

CVE-2024-26133 (GCVE-0-2024-26133)

Vulnerability from cvelistv5 – Published: 2024-02-21 16:49 – Updated: 2024-08-01 23:59

Title

EventStoreDB Projections Subsystem has potential password leak

Summary

EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L

CWE

CWE-256 - Plaintext Storage of a Password

Assigner

GitHub_M

References

URL

Tags

	https://github.com/EventStore/EventStore/security…	x_refsource_CONFIRM
	https://github.com/EventStore/EventStore/commit/6…	x_refsource_MISC
	https://developers.eventstore.com/cloud/ops/#upgr…	x_refsource_MISC
	https://developers.eventstore.com/server/v22.10/u…	x_refsource_MISC
	https://www.eventstore.com/blog/eventstoredb-secu…	x_refsource_MISC
	https://www.eventstore.com/blog/new-version-strategy	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	EventStore	EventStore	Affected: >= 23.0.0, < 23.10.1 Affected: >= 22.0.0, < 22.10.5 Affected: >= 21.0.0, < 21.10.11 Affected: >= 20.0.0, < 20.10.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26133",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-21T20:39:57.383915Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:21:53.650Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:59:32.615Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"
          },
          {
            "name": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf"
          },
          {
            "name": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version"
          },
          {
            "name": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10"
          },
          {
            "name": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"
          },
          {
            "name": "https://www.eventstore.com/blog/new-version-strategy",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.eventstore.com/blog/new-version-strategy"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EventStore",
          "vendor": "EventStore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 23.0.0, \u003c 23.10.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 22.0.0, \u003c 22.10.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 21.0.0, \u003c 21.10.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 20.0.0, \u003c 20.10.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-256",
              "description": "CWE-256: Plaintext Storage of a Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-21T16:49:32.426Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"
        },
        {
          "name": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf"
        },
        {
          "name": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version"
        },
        {
          "name": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10"
        },
        {
          "name": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"
        },
        {
          "name": "https://www.eventstore.com/blog/new-version-strategy",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.eventstore.com/blog/new-version-strategy"
        }
      ],
      "source": {
        "advisory": "GHSA-6r53-v8hj-x684",
        "discovery": "UNKNOWN"
      },
      "title": "EventStoreDB Projections Subsystem has potential password leak"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-26133",
    "datePublished": "2024-02-21T16:49:32.426Z",
    "dateReserved": "2024-02-14T17:40:03.687Z",
    "dateUpdated": "2024-08-01T23:59:32.615Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26133\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-02-21T17:15:10.060\",\"lastModified\":\"2025-02-04T15:07:56.017\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied.\"},{\"lang\":\"es\",\"value\":\"EventStoreDB (ESDB) es una base de datos operativa creada para almacenar eventos. Se ha identificado una vulnerabilidad en el subsistema de proyecciones en las versiones 20 anteriores a la 20.10.6, 21 anteriores a la 21.10.11, 22 anteriores a la 22.10.5 y 23 anteriores a la 23.10.1. Esta vulnerabilidad solo afecta las instancias de bases de datos que utilizan proyecciones personalizadas. Las contrase\u00f1as de usuario pueden volverse accesibles para aquellos que tienen acceso a los archivos fragmentados en el disco y para los usuarios que tienen acceso de lectura a las secuencias del sistema. Solo los usuarios del grupo `$admins` pueden acceder a las transmisiones del sistema de forma predeterminada. ESDB 23.10.1, 22.10.5, 21.10.11 y 20.10.6 contienen un parche para este problema. Los usuarios deben actualizar EventStoreDB, restablecer las contrase\u00f1as de los miembros actuales y anteriores de los grupos `$admins` y `$ops` y, si se reutiliz\u00f3 una contrase\u00f1a en cualquier otro sistema, restablecerla en esos sistemas a una contrase\u00f1a \u00fanica para seguir las mejores pr\u00e1cticas. Si no se puede realizar una actualizaci\u00f3n de inmediato, restablezca las contrase\u00f1as de los miembros actuales y anteriores de los grupos `$admins` y `$ops`. Evite crear proyecciones personalizadas hasta que se haya aplicado el parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.2,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-256\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kurrent:eventstoredb:*:*:*:*:open-source:*:*:*\",\"versionStartIncluding\":\"20.10.0\",\"versionEndExcluding\":\"20.10.6\",\"matchCriteriaId\":\"121A0F5F-F477-4096-B9DD-56B345A1DF25\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kurrent:eventstoredb:*:*:*:*:open-source:*:*:*\",\"versionStartIncluding\":\"21.10.0\",\"versionEndExcluding\":\"21.10.11\",\"matchCriteriaId\":\"0F82D0FF-AB86-47A8-B276-94665844CDDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kurrent:eventstoredb:*:*:*:*:open-source:*:*:*\",\"versionStartIncluding\":\"22.10.0\",\"versionEndExcluding\":\"22.10.5\",\"matchCriteriaId\":\"34D1C437-C3A1-4307-861A-12D5DBE30220\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kurrent:eventstoredb:*:*:*:*:open-source:*:*:*\",\"versionStartIncluding\":\"23.10.0\",\"versionEndExcluding\":\"23.10.1\",\"matchCriteriaId\":\"BB3E5FBA-1300-4774-A3D4-64F5FA02375D\"}]}]}],\"references\":[{\"url\":\"https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://www.eventstore.com/blog/new-version-strategy\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://www.eventstore.com/blog/new-version-strategy\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26133\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-21T20:39:57.383915Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-05T15:20:40.496Z\"}}], \"cna\": {\"title\": \"EventStoreDB Projections Subsystem has potential password leak\", \"source\": {\"advisory\": \"GHSA-6r53-v8hj-x684\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"EventStore\", \"product\": \"EventStore\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 23.0.0, \u003c 23.10.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 22.0.0, \u003c 22.10.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 21.0.0, \u003c 21.10.11\"}, {\"status\": \"affected\", \"version\": \"\u003e= 20.0.0, \u003c 20.10.6\"}]}], \"references\": [{\"url\": \"https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684\", \"name\": \"https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf\", \"name\": \"https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version\", \"name\": \"https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10\", \"name\": \"https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133\", \"name\": \"https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.eventstore.com/blog/new-version-strategy\", \"name\": \"https://www.eventstore.com/blog/new-version-strategy\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-256\", \"description\": \"CWE-256: Plaintext Storage of a Password\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-02-21T16:49:32.426Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-26133\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-07-05T17:21:53.650Z\", \"dateReserved\": \"2024-02-14T17:40:03.687Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-02-21T16:49:32.426Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-26133

Vulnerability from fkie_nvd - Published: 2024-02-21 17:15 - Updated: 2025-02-04 15:07

Severity ?

5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version	Product
security-advisories@github.com	https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10	Release Notes
security-advisories@github.com	https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf	Patch
security-advisories@github.com	https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684	Vendor Advisory
security-advisories@github.com	https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133	Broken Link
security-advisories@github.com	https://www.eventstore.com/blog/new-version-strategy	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version	Product
af854a3a-2127-422b-91ae-364da2661108	https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://www.eventstore.com/blog/new-version-strategy	Broken Link

Impacted products

Vendor	Product	Version
kurrent	eventstoredb	*
kurrent	eventstoredb	*
kurrent	eventstoredb	*
kurrent	eventstoredb	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:kurrent:eventstoredb:*:*:*:*:open-source:*:*:*",
              "matchCriteriaId": "121A0F5F-F477-4096-B9DD-56B345A1DF25",
              "versionEndExcluding": "20.10.6",
              "versionStartIncluding": "20.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:kurrent:eventstoredb:*:*:*:*:open-source:*:*:*",
              "matchCriteriaId": "0F82D0FF-AB86-47A8-B276-94665844CDDC",
              "versionEndExcluding": "21.10.11",
              "versionStartIncluding": "21.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:kurrent:eventstoredb:*:*:*:*:open-source:*:*:*",
              "matchCriteriaId": "34D1C437-C3A1-4307-861A-12D5DBE30220",
              "versionEndExcluding": "22.10.5",
              "versionStartIncluding": "22.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:kurrent:eventstoredb:*:*:*:*:open-source:*:*:*",
              "matchCriteriaId": "BB3E5FBA-1300-4774-A3D4-64F5FA02375D",
              "versionEndExcluding": "23.10.1",
              "versionStartIncluding": "23.10.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied."
    },
    {
      "lang": "es",
      "value": "EventStoreDB (ESDB) es una base de datos operativa creada para almacenar eventos. Se ha identificado una vulnerabilidad en el subsistema de proyecciones en las versiones 20 anteriores a la 20.10.6, 21 anteriores a la 21.10.11, 22 anteriores a la 22.10.5 y 23 anteriores a la 23.10.1. Esta vulnerabilidad solo afecta las instancias de bases de datos que utilizan proyecciones personalizadas. Las contrase\u00f1as de usuario pueden volverse accesibles para aquellos que tienen acceso a los archivos fragmentados en el disco y para los usuarios que tienen acceso de lectura a las secuencias del sistema. Solo los usuarios del grupo `$admins` pueden acceder a las transmisiones del sistema de forma predeterminada. ESDB 23.10.1, 22.10.5, 21.10.11 y 20.10.6 contienen un parche para este problema. Los usuarios deben actualizar EventStoreDB, restablecer las contrase\u00f1as de los miembros actuales y anteriores de los grupos `$admins` y `$ops` y, si se reutiliz\u00f3 una contrase\u00f1a en cualquier otro sistema, restablecerla en esos sistemas a una contrase\u00f1a \u00fanica para seguir las mejores pr\u00e1cticas. Si no se puede realizar una actualizaci\u00f3n de inmediato, restablezca las contrase\u00f1as de los miembros actuales y anteriores de los grupos `$admins` y `$ops`. Evite crear proyecciones personalizadas hasta que se haya aplicado el parche."
    }
  ],
  "id": "CVE-2024-26133",
  "lastModified": "2025-02-04T15:07:56.017",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-21T17:15:10.060",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Broken Link"
      ],
      "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Broken Link"
      ],
      "url": "https://www.eventstore.com/blog/new-version-strategy"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "https://www.eventstore.com/blog/new-version-strategy"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-256"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2024-26133

Vulnerability from gsd - Updated: 2024-02-15 06:02

Details

Aliases

CVE-2024-26133

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-26133"
      ],
      "details": "EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied.",
      "id": "GSD-2024-26133",
      "modified": "2024-02-15T06:02:25.152646Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-26133",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "EventStore",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 23.0.0, \u003c 23.10.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 22.0.0, \u003c 22.10.5"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 21.0.0, \u003c 21.10.11"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 20.0.0, \u003c 20.10.6"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "EventStore"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-256",
                "lang": "eng",
                "value": "CWE-256: Plaintext Storage of a Password"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684",
            "refsource": "MISC",
            "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"
          },
          {
            "name": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf",
            "refsource": "MISC",
            "url": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf"
          },
          {
            "name": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version",
            "refsource": "MISC",
            "url": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version"
          },
          {
            "name": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10",
            "refsource": "MISC",
            "url": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10"
          },
          {
            "name": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133",
            "refsource": "MISC",
            "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"
          },
          {
            "name": "https://www.eventstore.com/blog/new-version-strategy",
            "refsource": "MISC",
            "url": "https://www.eventstore.com/blog/new-version-strategy"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-6r53-v8hj-x684",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied."
          },
          {
            "lang": "es",
            "value": "EventStoreDB (ESDB) es una base de datos operativa creada para almacenar eventos. Se ha identificado una vulnerabilidad en el subsistema de proyecciones en las versiones 20 anteriores a la 20.10.6, 21 anteriores a la 21.10.11, 22 anteriores a la 22.10.5 y 23 anteriores a la 23.10.1. Esta vulnerabilidad solo afecta las instancias de bases de datos que utilizan proyecciones personalizadas. Las contrase\u00f1as de usuario pueden volverse accesibles para aquellos que tienen acceso a los archivos fragmentados en el disco y para los usuarios que tienen acceso de lectura a las secuencias del sistema. Solo los usuarios del grupo `$admins` pueden acceder a las transmisiones del sistema de forma predeterminada. ESDB 23.10.1, 22.10.5, 21.10.11 y 20.10.6 contienen un parche para este problema. Los usuarios deben actualizar EventStoreDB, restablecer las contrase\u00f1as de los miembros actuales y anteriores de los grupos `$admins` y `$ops` y, si se reutiliz\u00f3 una contrase\u00f1a en cualquier otro sistema, restablecerla en esos sistemas a una contrase\u00f1a \u00fanica para seguir las mejores pr\u00e1cticas. Si no se puede realizar una actualizaci\u00f3n de inmediato, restablezca las contrase\u00f1as de los miembros actuales y anteriores de los grupos `$admins` y `$ops`. Evite crear proyecciones personalizadas hasta que se haya aplicado el parche."
          }
        ],
        "id": "CVE-2024-26133",
        "lastModified": "2024-02-22T19:07:27.197",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 1.2,
              "impactScore": 4.2,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-21T17:15:10.060",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://www.eventstore.com/blog/new-version-strategy"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-256"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

WID-SEC-W-2024-0456

Vulnerability from csaf_certbund - Published: 2024-02-21 23:00 - Updated: 2024-02-21 23:00

Summary

Event Store EventStoreDB: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

EventStoreDB ist eine Datenbank zur Unterstützung des Event-Sourcing-Konzepts.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Event Store EventStoreDB ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - MacOS X - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "EventStoreDB ist eine Datenbank zur Unterst\u00fctzung des Event-Sourcing-Konzepts.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Event Store EventStoreDB ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0456 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0456.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0456 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0456"
      },
      {
        "category": "external",
        "summary": "EventStoreDB Security Release vom 2024-02-21",
        "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"
      },
      {
        "category": "external",
        "summary": "EventStoreDB Security Release vom 2024-02-21",
        "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"
      }
    ],
    "source_lang": "en-US",
    "title": "Event Store EventStoreDB: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2024-02-21T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:05:36.048+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-0456",
      "initial_release_date": "2024-02-21T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-02-21T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 23.10.1",
                "product": {
                  "name": "Event Store EventStoreDB \u003c 23.10.1",
                  "product_id": "T033051"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c 22.10.5",
                "product": {
                  "name": "Event Store EventStoreDB \u003c 22.10.5",
                  "product_id": "T033052"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c 21.10.11",
                "product": {
                  "name": "Event Store EventStoreDB \u003c 21.10.11",
                  "product_id": "T033053"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c 20.10.6",
                "product": {
                  "name": "Event Store EventStoreDB \u003c 20.10.6",
                  "product_id": "T033054"
                }
              }
            ],
            "category": "product_name",
            "name": "EventStoreDB"
          }
        ],
        "category": "vendor",
        "name": "Event Store"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-26133",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Event Store EventStoreDB. Dieser Fehler besteht im Projections-Subsystem, da die Passw\u00f6rter f\u00fcr diejenigen zug\u00e4nglich sind, die Zugriff auf die Chunk-Dateien auf der Festplatte haben. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen."
        }
      ],
      "release_date": "2024-02-21T23:00:00.000+00:00",
      "title": "CVE-2024-26133"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-26133 (GCVE-0-2024-26133)

FKIE_CVE-2024-26133

GSD-2024-26133

WID-SEC-W-2024-0456

Tags

Sightings

Nomenclature