CVE-2024-11165

Published: Nov 13, 2024

Modified: Nov 21, 2024

PUBLISHED

Description

An information disclosure vulnerability exists in the backup configuration process where the SAS token is not masked in the configuration response. This oversight results in sensitive information leakage within the yb_backup log files, exposing the SAS token in plaintext. The leakage occurs during the backup procedure, leading to potential unauthorized access to resources associated with the SAS token. This issue affects YugabyteDB Anywhere: from 2.20.0.0 before 2.20.7.0, from 2.23.0.0 before 2.23.1.0, from 2024.1.0.0 before 2024.1.3.0.

Vendor	Product	Versions
YugabyteDB	YugabyteDB Anywhere	affected `2.20.0.0 - < 2.20.7.0` affected `2.23.0.0 - < 2.23.1.0` affected `2024.1.0.0 - < 2024.1.3.0`

Weaknesses (CWE)

CWE-532

References

https://github.com/yugabyte/yugabyte-db/commit/920989b6c0db0222bb7a0cce46febc76cf72d438

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-11165

Description

Affected Products

Weaknesses (CWE)

References