CVE-2023-0575

Name of the Vulnerable Software and Affected Versions Yugabyte DB versions prior to 2.2.0.0

Description The issue is related to External Control of Critical State Data and Improper Control of Generation of Code, also known as 'Code Injection' vulnerability. This vulnerability affects YugaByte, Inc. Yugabyte DB on various operating systems, including Windows, Linux, MacOS, and iOS. It is associated with the DevopsBase.Java:execCommand and TableManager.Java:runCommand modules, allowing for API manipulation and privilege abuse. The vulnerability is also linked to program files backup.Py.

Recommendations For versions prior to 2.2.0.0, update to version 2.2.0.0 or later to resolve the issue. As a temporary workaround, consider disabling the execCommand and runCommand functions in the DevopsBase.Java and TableManager.Java modules, respectively, until a patch is available. Restrict access to the backup.Py program files to minimize the risk of exploitation.