CVE-2024-11165

Published Nov 13, 2024

Last updated 3 days ago

CVSS medium 5.7

Overview

Description
An information disclosure vulnerability exists in the backup configuration process where the SAS token is not masked in the configuration response. This oversight results in sensitive information leakage within the yb_backup log files, exposing the SAS token in plaintext. The leakage occurs during the backup procedure, leading to potential unauthorized access to resources associated with the SAS token. This issue affects YugabyteDB Anywhere: from 2.20.0.0 before 2.20.7.0, from 2.23.0.0 before 2.23.1.0, from 2024.1.0.0 before 2024.1.3.0.
Source
security@yugabyte.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
5.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Secondary
Base score
3.9
Impact score
3.4
Exploitability score
0.5
Vector string
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Severity
LOW

Weaknesses

security@yugabyte.com
CWE-532

Social media

Hype score
Not currently trending

  1. CVE-2024-11165 An information disclosure vulnerability exists in the backup configuration process where the SAS token is not masked in the configuration response. This oversight res… https://t.co/xcpxVUN6iL

    @CVEnew

    13 Nov 2024

    240 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References