CVE-2024-26133

Name of the Vulnerable Software and Affected Versions EventStoreDB versions 20 prior to 20.10.6 EventStoreDB versions 21 prior to 21.10.11 EventStoreDB versions 22 prior to 22.10.5 EventStoreDB versions 23 prior to 23.10.1

Description A vulnerability has been identified in the projections subsystem of EventStoreDB. This issue affects database instances that use custom projections, potentially allowing access to user passwords for those with access to chunk files on disk or read access to system streams. By default, only users in the $admins group can access system streams.

Recommendations For versions prior to 20.10.6, upgrade to version 20.10.6 or later and reset passwords for current and previous members of $admins and $ops groups. For versions prior to 21.10.11, upgrade to version 21.10.11 or later and reset passwords for current and previous members of $admins and $ops groups. For versions prior to 22.10.5, upgrade to version 22.10.5 or later and reset passwords for current and previous members of $admins and $ops groups. For versions prior to 23.10.1, upgrade to version 23.10.1 or later and reset passwords for current and previous members of $admins and $ops groups. If an immediate upgrade is not possible, reset the passwords for current and previous members of $admins and $ops groups as a temporary measure. Avoid creating custom projections until the patch has been applied.