CVE-2023-46741: 
vulnerability analysis and mitigation

CubeFS, an open-source cloud-native file storage system, was found to contain a vulnerability (CVE-2023-46741) prior to version 3.3.1. The vulnerability allows users to read sensitive data from logs, potentially enabling privilege escalation. The issue was discovered during a security audit conducted by Ada Logics in collaboration with OSTIF and the CNCF, and was disclosed on January 3, 2024 (GitHub Advisory).

The vulnerability stems from CubeFS leaking configuration keys in plaintext format within its logs. These exposed keys can be used to perform unauthorized operations on blobs. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL by NIST (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), while GitHub rates it as MEDIUM with a score of 4.8 (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L) (NVD).

The vulnerability enables attackers to perform unauthorized operations on blob stores. An attacker who successfully retrieves a secret key from the logs can delete blobs from the blob store, even without proper permissions. The attack can be executed either by internal users with limited log-reading privileges or by external users who have managed to escalate their privileges sufficiently to access the logs (GitHub Advisory).

The vulnerability has been patched in CubeFS version 3.3.1. There are no alternative mitigations available; upgrading to the patched version is the only recommended solution (GitHub Advisory).