6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-46739

GHSA ID

GHSA-8579-7p32-f398

EPSS Score

0.19724%

CWE

CWE-203

Published

1/3/2024

Updated

11/18/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-46739

CVE-2023-46739: CubeFS timing attack can leak user passwords

A vulnerability was found during in the CubeFS master component that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords.

The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component.

CubeFS has not seen any evidence of this being exploited in the wild. The vulnerability was found during a security audit conducted by Ada Logics in collaboration with OSTIF and the CNCF.

The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-46739

GHSA ID

GHSA-8579-7p32-f398

EPSS Score

0.19724%

CWE

CWE-203

Published

1/3/2024

Updated

11/18/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cubefs/cubefs	go	< 3.3.1	3.3.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure password comparison in UserService. The commit diff shows the vulnerable code was directly comparing plaintext passwords with 'ak.Password != args.Password'. String comparisons in Go are not constant-time - they exit early on first mismatch, creating observable timing differences. This allows attackers to perform statistical analysis to guess password characters. The patched version replaced this with hashed comparisons, confirming the original function's vulnerability. The file path and function name are explicitly shown in the diff and vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* *urin* in t** *u***S m*st*r *ompon*nt t**t *oul* *llow *n untrust** *tt**k*r to st**l us*r p*sswor*s *y **rryin* out * timin* *tt**k. T** root **s* o* t** vuln*r**ility w*s t**t *u***S us** r*w strin* *omp*rison o* p*sswor*s

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* p*sswor* *omp*rison in `Us*rS*rvi**`. T** *ommit *i** s*ows t** vuln*r**l* *o** w*s *ir**tly *omp*rin* pl*int*xt p*sswor*s wit* '*k.P*sswor* != *r*s.P*sswor*'. Strin* *omp*risons in *o *r* not *onst*nt-tim* - t**

6.5

Basic Information

Concerned about an active attack path?

CVE-2023-46739: CubeFS timing attack can leak user passwords

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI