CVE-2023-0575
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
External Control of Critical State Data, Improper Control of Generation of Code ('Code Injection') vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse. This vulnerability is associated with program files backup.Py.
This issue affects Yugabyte DB: Lesser then 2.2.0.0
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| YugabyteDB | YugabyteDB | 2.0 < 2.15 | affected |
Weaknesses
- CWE-642: CWE-642: External Control of Critical State Data
- CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')
Workarounds
In yugaware/config/configs folder there is a file acceptableKeys.yaml which contains a list of acceptable keys for different types of providers. Edit it and restart the Yugaware process to reload the list.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.