Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Timing attack can leak user passwords
Vulnerability Description
CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Vulnerability Type
通过差异性导致的信息暴露
Vulnerability Title
CubeFS 安全漏洞
Vulnerability Description
CubeFS是CubeFS个人开发者的一种云原生文件存储。 CubeFS 3.3.1之前版本存在安全漏洞。攻击者利用该漏洞可以窃取用户密码。
CVSS Information
N/A
Vulnerability Type
N/A