PT-2023-30002 · Yugabyte · Yugabytedb
Published
2023-08-30
·
Updated
2023-09-05
·
CVE-2023-4640
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
YugabyteDB Anywhere versions 2.0.0 through 2.17.3
Description
The issue is related to the lack of authorization checks in the controller responsible for setting the logging level. This controller does not ensure that the user is authenticated, as it extends the Controller rather than the AuthenticatedController and includes no further authentication checks.
Recommendations
For versions 2.0.0 through 2.17.3, consider implementing authentication checks in the logging level controller to ensure only authenticated users can modify logging settings. As a temporary workaround, restrict access to the logging level controller until a patch is available.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Yugabytedb