Vulnerabilites related to YugabyteDB - Anywhere
CVE-2023-4640 (GCVE-0-2023-4640)
Vulnerability from cvelistv5
Published
2023-08-30 16:42
Modified
2024-10-01 18:31
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
  • CWE-284 - Improper Access Control
Summary
The controller responsible for setting the logging level does not include any authorization checks to ensure the user is authenticated. This can be seen by noting that it extends Controller rather than AuthenticatedController and includes no further checks. This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3
References
https://www.yugabyte.com/
Impacted products
Vendor Product Version
YugabyteDB Anywhere Version: 2.0.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:31:06.630Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.yugabyte.com/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4640",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-01T18:31:41.822513Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-01T18:31:56.957Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Anywhere",
          "repo": "https://github.com/yugabyte/yugabyte-db",
          "vendor": "YugabyteDB",
          "versions": [
            {
              "lessThanOrEqual": "2.17.3",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "2.17.3.0"
            }
          ]
        }
      ],
      "datePublic": "2023-08-30T16:42:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThe controller responsible for setting the logging level does not include any authorization\nchecks to ensure the user is authenticated. This can be seen by noting that it extends\n\u003c/span\u003e\u003cspan style=\"background-color: rgb(246, 246, 246);\"\u003eController \u003c/span\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003erather than \u003c/span\u003e\u003cspan style=\"background-color: rgb(246, 246, 246);\"\u003eAuthenticatedController \u003c/span\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eand includes no further checks.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThis issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "The controller responsible for setting the logging level does not include any authorization\nchecks to ensure the user is authenticated. This can be seen by noting that it extends\nController rather than AuthenticatedController and includes no further checks.\u00a0This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-30T16:42:45.242Z",
        "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "shortName": "Yugabyte"
      },
      "references": [
        {
          "url": "https://www.yugabyte.com/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Set Logging Level Without Authentication",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
    "assignerShortName": "Yugabyte",
    "cveId": "CVE-2023-4640",
    "datePublished": "2023-08-30T16:42:45.242Z",
    "dateReserved": "2023-08-30T16:41:56.711Z",
    "dateUpdated": "2024-10-01T18:31:56.957Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}