CVE-2023-46738

Name of the Vulnerable Software and Affected Versions CubeFS versions prior to 3.3.1

Description A security issue was found in CubeFS HandlerNode that could allow authenticated users to send maliciously-crafted requests, crashing the ObjectNode and denying other users from using it. The root cause was improper handling of incoming HTTP requests, allowing an attacker to control the amount of memory the ObjectNode would allocate. A malicious request could exhaust the machine's memory. An attacker would need to be authenticated, have permissions to delete objects, and know the names of existing buckets in the CubeFS deployment. The most likely attacker is an inside user or an attacker who has breached an existing user's account in the cluster. There is no evidence of this attack being exploited in the wild.

Recommendations For CubeFS versions prior to 3.3.1, the issue has been patched in version 3.3.1, so upgrading to this version or later is the recommended mitigation. There is no other mitigation besides upgrading.