CVE-2024-6895

MEDIUM

Yugabyte Platform - Privilege Escalation

Title source: llm

Description

Insufficient authentication in user account management in Yugabyte Platform allows local network attackers with a compromised user session to change critical security information without re-authentication. An attacker with user session and access to application can modify settings such as password and email without being prompted for the current password, enabling account takeover.

References (1)

Core 1

Core References

Patch patch

https://github.com/yugabyte/yugabyte-db/commit/9687371d8777f876285b737a9d01995bc46bafa5

View Patch ZIP pw:eip

Scores

CVSS v4 6.1

EPSS 0.0024

EPSS Percentile 14.8%

CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-306

Status published

Products (4)

YugabyteDB/YugabyteDB Anywhere 2.14.0.0 - 2.14.17.0

YugabyteDB/YugabyteDB Anywhere 2.16.0.0 - 2.16.9.0

YugabyteDB/YugabyteDB Anywhere 2.18.0.0 - 2.18.8.1

YugabyteDB/YugabyteDB Anywhere 2.20.0.0 - 2.20.5.0

Published Jul 19, 2024

Tracked Since Feb 18, 2026