Vulnerability-Lookup

WID-SEC-W-2024-0456

Vulnerability from csaf_certbund - Published: 2024-02-21 23:00 - Updated: 2024-02-21 23:00

Summary

Event Store EventStoreDB: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

EventStoreDB ist eine Datenbank zur Unterstützung des Event-Sourcing-Konzepts.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Event Store EventStoreDB ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - MacOS X - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "EventStoreDB ist eine Datenbank zur Unterst\u00fctzung des Event-Sourcing-Konzepts.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Event Store EventStoreDB ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0456 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0456.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0456 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0456"
      },
      {
        "category": "external",
        "summary": "EventStoreDB Security Release vom 2024-02-21",
        "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"
      },
      {
        "category": "external",
        "summary": "EventStoreDB Security Release vom 2024-02-21",
        "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"
      }
    ],
    "source_lang": "en-US",
    "title": "Event Store EventStoreDB: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2024-02-21T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:05:36.048+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-0456",
      "initial_release_date": "2024-02-21T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-02-21T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 23.10.1",
                "product": {
                  "name": "Event Store EventStoreDB \u003c 23.10.1",
                  "product_id": "T033051"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c 22.10.5",
                "product": {
                  "name": "Event Store EventStoreDB \u003c 22.10.5",
                  "product_id": "T033052"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c 21.10.11",
                "product": {
                  "name": "Event Store EventStoreDB \u003c 21.10.11",
                  "product_id": "T033053"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c 20.10.6",
                "product": {
                  "name": "Event Store EventStoreDB \u003c 20.10.6",
                  "product_id": "T033054"
                }
              }
            ],
            "category": "product_name",
            "name": "EventStoreDB"
          }
        ],
        "category": "vendor",
        "name": "Event Store"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-26133",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Event Store EventStoreDB. Dieser Fehler besteht im Projections-Subsystem, da die Passw\u00f6rter f\u00fcr diejenigen zug\u00e4nglich sind, die Zugriff auf die Chunk-Dateien auf der Festplatte haben. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen."
        }
      ],
      "release_date": "2024-02-21T23:00:00.000+00:00",
      "title": "CVE-2024-26133"
    }
  ]
}

CVE-2024-26133 (GCVE-0-2024-26133)

Vulnerability from cvelistv5 – Published: 2024-02-21 16:49 – Updated: 2024-08-01 23:59

Title

EventStoreDB Projections Subsystem has potential password leak

Summary

EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L

CWE

CWE-256 - Plaintext Storage of a Password

Assigner

GitHub_M

References

URL

Tags

	https://github.com/EventStore/EventStore/security…	x_refsource_CONFIRM
	https://github.com/EventStore/EventStore/commit/6…	x_refsource_MISC
	https://developers.eventstore.com/cloud/ops/#upgr…	x_refsource_MISC
	https://developers.eventstore.com/server/v22.10/u…	x_refsource_MISC
	https://www.eventstore.com/blog/eventstoredb-secu…	x_refsource_MISC
	https://www.eventstore.com/blog/new-version-strategy	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	EventStore	EventStore	Affected: >= 23.0.0, < 23.10.1 Affected: >= 22.0.0, < 22.10.5 Affected: >= 21.0.0, < 21.10.11 Affected: >= 20.0.0, < 20.10.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26133",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-21T20:39:57.383915Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:21:53.650Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:59:32.615Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"
          },
          {
            "name": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf"
          },
          {
            "name": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version"
          },
          {
            "name": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10"
          },
          {
            "name": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"
          },
          {
            "name": "https://www.eventstore.com/blog/new-version-strategy",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.eventstore.com/blog/new-version-strategy"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EventStore",
          "vendor": "EventStore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 23.0.0, \u003c 23.10.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 22.0.0, \u003c 22.10.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 21.0.0, \u003c 21.10.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 20.0.0, \u003c 20.10.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-256",
              "description": "CWE-256: Plaintext Storage of a Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-21T16:49:32.426Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684"
        },
        {
          "name": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf"
        },
        {
          "name": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version"
        },
        {
          "name": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10"
        },
        {
          "name": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133"
        },
        {
          "name": "https://www.eventstore.com/blog/new-version-strategy",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.eventstore.com/blog/new-version-strategy"
        }
      ],
      "source": {
        "advisory": "GHSA-6r53-v8hj-x684",
        "discovery": "UNKNOWN"
      },
      "title": "EventStoreDB Projections Subsystem has potential password leak"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-26133",
    "datePublished": "2024-02-21T16:49:32.426Z",
    "dateReserved": "2024-02-14T17:40:03.687Z",
    "dateUpdated": "2024-08-01T23:59:32.615Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2024-0456

CVE-2024-26133 (GCVE-0-2024-26133)

Tags

Sightings

Nomenclature