CVE-2023-6002

Summary

YugabyteDB is vulnerable to cross site scripting (XSS) via log injection. Writing invalidated user input to log files can allow an unprivileged attacker to forge log entries or inject malicious content into the logs.

Affected Software

VendorProductVersion RangeStatus
YugabyteDBYugabyteDB2.0.0.0 <= 2.14.13.0, 2.16.7.0, 2.18.3.0affected
YugabyteDBYugabyteDB2.14.14.0unaffected
YugabyteDBYugabyteDB2.16.8.0unaffected
YugabyteDBYugabyteDB2.18.4.0unaffected

Weaknesses

  • CWE-117: CWE-117: Improper Output Neutralization for Logs

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References