CVE-2024-11193

Name of the Vulnerable Software and Affected Versions YugabyteDB Anywhere versions 2.20.0.0 through 2.20.6.0 YugabyteDB Anywhere versions 2.23.0.0 through 2.23.0.0 YugabyteDB Anywhere versions 2024.1.0.0 through 2024.1.2.0

Description An information disclosure issue exists in Yugabyte Anywhere, where the LDAP bind password is logged in plaintext within application logs. This results in the unintentional exposure of sensitive information, potentially allowing unauthorized users with access to these logs to view the LDAP bind password. An attacker with log access could exploit this to gain unauthorized access to the LDAP server, leading to potential exposure or compromise of LDAP-managed resources.

Recommendations For versions 2.20.0.0 through 2.20.6.0, update to version 2.20.7.0 or later. For versions 2.23.0.0, update to version 2.23.1.0 or later. For versions 2024.1.0.0 through 2024.1.2.0, update to version 2024.1.3.0 or later. As a temporary workaround, consider restricting access to application logs to minimize the risk of exploitation.