CVE-2023-6001: 
YugabyteDB vulnerability analysis and mitigation

Prometheus metrics in YugabyteDB Anywhere were found to be accessible without authentication, exposing detailed and sensitive information about the YugabyteDB Anywhere environment. This vulnerability was assigned CVE-2023-6001 and was disclosed on November 7, 2023 (NVD, CVE).

The vulnerability has been assessed with different CVSS v3.1 scores by different organizations. The NVD assigned a CVSS Base Score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, while Yugabyte, Inc. assigned a score of 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) by NIST and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) by Yugabyte, Inc. (NVD).

The exposure of Prometheus metrics without authentication allows unauthorized access to detailed and sensitive information about the YugabyteDB Anywhere environment. This could potentially provide attackers with valuable insights into the system's configuration and operation (NVD).

The vulnerability affects YugabyteDB versions from 2.0.0 up to (excluding) 2.18.4.0. Users should upgrade to version 2.18.4.0 or later to address this security issue (NVD).