CVE-2024-11165

Name of the Vulnerable Software and Affected Versions YugabyteDB Anywhere versions 2.20.0.0 through 2.20.6.0 YugabyteDB Anywhere versions 2.23.0.0 through 2.23.0.0 YugabyteDB Anywhere versions 2024.1.0.0 through 2024.1.2.0 YugabyteDB versions prior to D37715

Description An information disclosure issue exists in the backup configuration process where the SAS token is not masked in the configuration response, resulting in sensitive information leakage within the yb backup log files. This leakage occurs during the backup procedure and could lead to potential unauthorized access to resources associated with the SAS token.

Recommendations For versions 2.20.0.0 through 2.20.6.0, update to version 2.20.7.0 or later. For versions 2.23.0.0, update to version 2.23.1.0 or later. For versions 2024.1.0.0 through 2024.1.2.0, update to version 2024.1.3.0 or later. For versions prior to D37715, update to version D37715 or later. As a temporary workaround, consider restricting access to the backup configuration process to minimize the risk of exploitation.