CVE-2024-11165

Nov. 21, 2024, 5:15 p.m.

None
No Score

Description

An information disclosure vulnerability exists in the backup configuration process where the SAS token is not masked in the configuration response. This oversight results in sensitive information leakage within the yb_backup log files, exposing the SAS token in plaintext. The leakage occurs during the backup procedure, leading to potential unauthorized access to resources associated with the SAS token. This issue affects YugabyteDB Anywhere: from 2.20.0.0 before 2.20.7.0, from 2.23.0.0 before 2.23.1.0, from 2024.1.0.0 before 2024.1.3.0.

Product(s) Impacted

Product Versions
YugabyteDB Anywhere
  • ['2.20.0.0 - 2.20.7.0', '2.23.0.0 - 2.23.1.0', '2024.1.0.0 - 2024.1.3.0']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-532
Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

https://github.com/yugabyte/yugabyte-db/commit/920989b6c0db0222bb7a0cce46febc76cf72d438

Tags

CWE-532
security@yugabyte.com
2024-11-13
CVE-2024-11165

Timeline

Published: Nov. 13, 2024, 3:15 p.m.
Last Modified: Nov. 21, 2024, 5:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@yugabyte.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.