Insecure random string generator used for sensitive data

CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the “accessKey”. To create the "accesKey", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. An attacker could leverage the predictable random string generator and guess a users access key and impersonate the user to obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to upgrade.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

使用不充分的随机数

CubeFS 安全特征问题漏洞

CubeFS是CubeFS个人开发者的一种云原生文件存储。 CubeFS 3.3.1之前版本存在安全特征问题漏洞，该漏洞源于使用不安全的随机字符串生成器来生成用户特定的敏感密钥。攻击者利用该漏洞可以升级权限。

N/A

N/A