CVE-2023-6002: 
YugabyteDB vulnerability analysis and mitigation

YugabyteDB was found to be vulnerable to cross-site scripting (XSS) via log injection, identified as CVE-2023-6002. The vulnerability was disclosed on November 7, 2023, affecting multiple versions of YugabyteDB including versions 2.14.0.0 to 2.14.14.0, 2.16.0.0 to 2.16.8.0, and 2.18.0.0 to 2.18.4.0. This security flaw allows unprivileged attackers to forge log entries or inject malicious content into the logs through invalidated user input (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Yugabyte, Inc. assessed it with a slightly higher CVSS score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-117 (Improper Output Neutralization for Logs) (NVD).

The vulnerability allows attackers to perform cross-site scripting attacks through log injection, potentially leading to the compromise of log integrity and the injection of malicious content. The impact is characterized by low confidentiality and integrity breaches, with no direct impact on availability (NVD).