-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
x/vulndb: potential Go vuln in github.com/cubefs/cubefs: CVE-2023-46738 #2430
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
tatianab
added
the
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
label
Jan 4, 2024
Change https://go.dev/cl/554157 mentions this issue: |
Change https://go.dev/cl/592778 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jun 28, 2024
- data/reports/GO-2024-2521.yaml - data/reports/GO-2024-2434.yaml - data/reports/GO-2024-2537.yaml - data/reports/GO-2024-2432.yaml - data/reports/GO-2024-2483.yaml - data/reports/GO-2024-2480.yaml - data/reports/GO-2024-2433.yaml - data/reports/GO-2024-2530.yaml - data/reports/GO-2024-2556.yaml - data/reports/GO-2024-2472.yaml - data/reports/GO-2024-2540.yaml - data/reports/GO-2024-2560.yaml - data/reports/GO-2024-2561.yaml - data/reports/GO-2024-2590.yaml - data/reports/GO-2024-2428.yaml - data/reports/GO-2024-2508.yaml - data/reports/GO-2024-2592.yaml - data/reports/GO-2024-2511.yaml - data/reports/GO-2024-2491.yaml - data/reports/GO-2024-2479.yaml - data/reports/GO-2024-2509.yaml - data/reports/GO-2024-2589.yaml - data/reports/GO-2024-2496.yaml - data/reports/GO-2024-2505.yaml - data/reports/GO-2024-2558.yaml - data/reports/GO-2024-2430.yaml - data/reports/GO-2024-2594.yaml - data/reports/GO-2024-2431.yaml - data/reports/GO-2024-2488.yaml - data/reports/GO-2024-2495.yaml - data/reports/GO-2024-2557.yaml - data/reports/GO-2024-2442.yaml - data/reports/GO-2024-2593.yaml - data/reports/GO-2024-2512.yaml - data/reports/GO-2024-2528.yaml - data/reports/GO-2024-2529.yaml - data/reports/GO-2024-2588.yaml - data/reports/GO-2024-2562.yaml - data/reports/GO-2024-2441.yaml - data/reports/GO-2024-2591.yaml - data/reports/GO-2024-2477.yaml - data/reports/GO-2024-2448.yaml - data/reports/GO-2024-2510.yaml - data/reports/GO-2024-2564.yaml - data/reports/GO-2024-2476.yaml - data/reports/GO-2024-2527.yaml - data/reports/GO-2024-2481.yaml - data/reports/GO-2024-2445.yaml - data/reports/GO-2024-2457.yaml - data/reports/GO-2024-2446.yaml - data/reports/GO-2024-2447.yaml - data/reports/GO-2024-2501.yaml - data/reports/GO-2024-2440.yaml - data/reports/GO-2024-2500.yaml - data/reports/GO-2024-2444.yaml - data/reports/GO-2024-2550.yaml - data/reports/GO-2024-2523.yaml - data/reports/GO-2024-2516.yaml - data/reports/GO-2024-2531.yaml - data/reports/GO-2024-2595.yaml - data/reports/GO-2024-2520.yaml - data/reports/GO-2024-2582.yaml - data/reports/GO-2024-2485.yaml - data/reports/GO-2024-2541.yaml - data/reports/GO-2024-2563.yaml - data/reports/GO-2024-2532.yaml - data/reports/GO-2024-2450.yaml - data/reports/GO-2024-2515.yaml - data/reports/GO-2024-2499.yaml - data/reports/GO-2024-2514.yaml - data/reports/GO-2024-2535.yaml - data/reports/GO-2024-2458.yaml - data/reports/GO-2024-2449.yaml - data/reports/GO-2024-2549.yaml - data/reports/GO-2024-2517.yaml - data/reports/GO-2024-2478.yaml - data/reports/GO-2024-2559.yaml - data/reports/GO-2024-2486.yaml - data/reports/GO-2024-2513.yaml - data/reports/GO-2024-2565.yaml Updates #2521 Updates #2434 Updates #2537 Updates #2432 Updates #2483 Updates #2480 Updates #2433 Updates #2530 Updates #2556 Updates #2472 Updates #2540 Updates #2560 Updates #2561 Updates #2590 Updates #2428 Updates #2508 Updates #2592 Updates #2511 Updates #2491 Updates #2479 Updates #2509 Updates #2589 Updates #2496 Updates #2505 Updates #2558 Updates #2430 Updates #2594 Updates #2431 Updates #2488 Updates #2495 Updates #2557 Updates #2442 Updates #2593 Updates #2512 Updates #2528 Updates #2529 Updates #2588 Updates #2562 Updates #2441 Updates #2591 Updates #2477 Updates #2448 Updates #2510 Updates #2564 Updates #2476 Updates #2527 Updates #2481 Updates #2445 Updates #2457 Updates #2446 Updates #2447 Updates #2501 Updates #2440 Updates #2500 Updates #2444 Updates #2550 Updates #2523 Updates #2516 Updates #2531 Updates #2595 Updates #2520 Updates #2582 Updates #2485 Updates #2541 Updates #2563 Updates #2532 Updates #2450 Updates #2515 Updates #2499 Updates #2514 Updates #2535 Updates #2458 Updates #2449 Updates #2549 Updates #2517 Updates #2478 Updates #2559 Updates #2486 Updates #2513 Updates #2565 Change-Id: I9920757c40e457cb5d033ef0e0a99deb6a5c29b5 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592778 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
CVE-2023-46738 references github.com/cubefs/cubefs, which may be a Go module.
Description:
CubeFS is an open-source cloud-native file storage system. A security vulnerability was found in CubeFS HandlerNode in versions prior to 3.3.1 that could allow authenticated users to send maliciously-crafted requests that would crash the ObjectNode and deny other users from using it. The root cause was improper handling of incoming HTTP requests that could allow an attacker to control the ammount of memory that the ObjectNode would allocate. A malicious request could make the ObjectNode allocate more memory that the machine had available, and the attacker could exhaust memory by way of a single malicious request. An attacker would need to be authenticated in order to invoke the vulnerable code with their malicious request and have permissions to delete objects. In addition, the attacker would need to know the names of existing buckets of the CubeFS deployment - otherwise the request would be rejected before it reached the vulnerable code. As such, the most likely attacker is an inside user or an attacker that has breached the account of an existing user in the cluster. The issue has been patched in v3.3.1. There is no other mitigation besides upgrading.
References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: