CVE-2023-51982

Name of the Vulnerable Software and Affected Versions CrateDB version 5.5.1

Description The issue is related to an authentication bypass vulnerability in the Admin UI component. After configuring password authentication, identity authentication can be bypassed by setting the X-Real-IP request header to a specific value and accessing the Admin UI directly using the default user identity.

Recommendations For CrateDB version 5.5.1, consider disabling access to the Admin UI until a patch is available. As a temporary workaround, restrict the use of the default user identity to minimize the risk of exploitation. Avoid using the X-Real-IP request header in the affected Admin UI component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.