CVE-2023-46740

Insecure random string generator used for sensitive data

Description

CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the “accessKey”. To create the "accesKey", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. An attacker could leverage the predictable random string generator and guess a users access key and impersonate the user to obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to upgrade.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.05%
Third-Party Advisory github.com
Affected: cubefs cubefs
Published at:
Updated at:

References

Link Tags
https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm third party advisory
https://github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07ba patch

Frequently Asked Questions

What is the severity of CVE-2023-46740?
CVE-2023-46740 has been scored as a medium severity vulnerability.
How to fix CVE-2023-46740?
To fix CVE-2023-46740, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-46740 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-46740 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-46740?
CVE-2023-46740 affects cubefs cubefs.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.