CVE-2023-0575

Summary

External Control of Critical State Data, Improper Control of Generation of Code ('Code Injection') vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse. This vulnerability is associated with program files backup.Py.

This issue affects Yugabyte DB: Lesser then 2.2.0.0

Affected Software

VendorProductVersion RangeStatus
YugabyteDBYugabyteDB2.0 < 2.15affected

Weaknesses

  • CWE-642: CWE-642: External Control of Critical State Data
  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

Workarounds

In yugaware/config/configs folder there is a file acceptableKeys.yaml which contains a list of acceptable keys for different types of providers. Edit it and restart the Yugaware process to reload the list.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References