CVE-2023-46739
MEDIUMCubeFS < 3.3.1 - Timing Attack via UserService Password Comparison
Title source: llmDescription
CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398
Patch x_refsource_misc
https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd
Scores
CVSS v3
6.5
EPSS
0.0035
EPSS Percentile
26.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-203
Status
published
Products (2)
cubefs/cubefs
0 - 3.3.1Go
linuxfoundation/cubefs
< 3.3.1
Published
Jan 03, 2024
Tracked Since
Feb 18, 2026