CVE-2023-46739

Name of the Vulnerable Software and Affected Versions CubeFS versions prior to 3.3.1

Description A vulnerability was found in the CubeFS master component that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root cause of the issue was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component, which gets instantiated when starting the server of the master component. There is no evidence of this vulnerability being exploited in the wild. The issue was discovered during a security audit.

Recommendations For versions prior to 3.3.1, update to version 3.3.1 or later to resolve the issue. As a temporary workaround, consider disabling the UserService function until a patch is available. Restrict access to the master component to minimize the risk of exploitation. Avoid using the UserService until the issue is resolved.