CVE-2024-6895

Published: Jul 19, 2024

Modified: Aug 13, 2024

PUBLISHED

Description

Insufficient authentication in user account management in Yugabyte Platform allows local network attackers with a compromised user session to change critical security information without re-authentication. An attacker with user session and access to application can modify settings such as password and email without being prompted for the current password, enabling account takeover.

Vendor	Product	Versions
YugabyteDB	YugabyteDB Anywhere	affected `2.14.0.0 - <= 2.14.17.0` affected `2.16.0.0 - <= 2.16.9.0` affected `2.18.0.0 - <= 2.18.8.1` affected `2.20.0.0 - < 2.20.5.0`

Weaknesses (CWE)

CWE-306

References

https://github.com/yugabyte/yugabyte-db/commit/9687371d8777f876285b737a9d01995bc46bafa5

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-6895

Description

Affected Products

Weaknesses (CWE)

References