CVE-2023-38195: 
Datalust Seq vulnerability analysis and mitigation

Datalust Seq before version 2023.2.9489 contains a security vulnerability that allows insertion of sensitive information into an externally accessible file or directory. This vulnerability (CVE-2023-38195) was disclosed on July 6, 2023, and specifically affects instances using SQL Server or PostgreSQL metadata storage. The vulnerability is only exploitable when external metadata storage is configured and requires a high-privileged user account to exploit (Vendor Advisory).

The vulnerability affects the metadata storage functionality when using external databases (SQL Server or PostgreSQL). The issue can be detected by checking for 'Using SQL Metastore : Yes' or 'Using PostgreSQL Metastore : Yes' in the Server Configuration section of the diagnostic report, or by verifying the presence of specific connection string settings in the configuration. The CVSS v3.1 base score is 4.9 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could lead to the exposure of sensitive information through externally accessible files or directories. The impact is somewhat limited by the requirement of high-level privileges for exploitation, but could still result in unauthorized access to sensitive data in affected systems (NVD).

The vulnerability has been patched in Seq version 2023.2.9489. Datalust advises all users running Seq instances with SQL Server or PostgreSQL metadata storage to upgrade to version 2023.2.9489 or later. No alternative workarounds have been provided (Vendor Advisory).