Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Insecure random string generator used for sensitive data
Vulnerability Description
CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the “accessKey”. To create the "accesKey", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. An attacker could leverage the predictable random string generator and guess a users access key and impersonate the user to obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to upgrade.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Vulnerability Type
使用不充分的随机数
Vulnerability Title
CubeFS 安全特征问题漏洞
Vulnerability Description
CubeFS是CubeFS个人开发者的一种云原生文件存储。 CubeFS 3.3.1之前版本存在安全特征问题漏洞,该漏洞源于使用不安全的随机字符串生成器来生成用户特定的敏感密钥。攻击者利用该漏洞可以升级权限。
CVSS Information
N/A
Vulnerability Type
N/A