CVE-2024-26133

EPSS 0.07%
Veröffentlicht 21.02.2024 17:15:10
Zuletzt bearbeitet 04.02.2025 15:07:56
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kurrent ≫ Eventstoredb SwEditionopen-source Version >= 20.10.0 < 20.10.6

Kurrent ≫ Eventstoredb SwEditionopen-source Version >= 21.10.0 < 21.10.11

Kurrent ≫ Eventstoredb SwEditionopen-source Version >= 22.10.0 < 22.10.5

Kurrent ≫ Eventstoredb SwEditionopen-source Version >= 23.10.0 < 23.10.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.209

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	5.5	1.2	4.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L

CWE-256 Plaintext Storage of a Password

Storing a password in plaintext may result in a system compromise.

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version

Product

https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10

Release Notes

https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf

Patch

https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684

Vendor Advisory

https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133

Broken Link

https://www.eventstore.com/blog/new-version-strategy

Broken Link