SCA: security update for github.com/cubefs/cubefs (GHSA-qc6v-g3xw-grmx)

high Tenable Cloud Security Plugin ID 418045

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- CubeFS is an open-source cloud-native file storage system. A security vulnerability was found in CubeFS
HandlerNode in versions prior to 3.3.1 that could allow authenticated users to send maliciously-crafted
requests that would crash the ObjectNode and deny other users from using it. The root cause was improper
handling of incoming HTTP requests that could allow an attacker to control the ammount of memory that the
ObjectNode would allocate. A malicious request could make the ObjectNode allocate more memory that the
machine had available, and the attacker could exhaust memory by way of a single malicious request. An
attacker would need to be authenticated in order to invoke the vulnerable code with their malicious
request and have permissions to delete objects. In addition, the attacker would need to know the names of
existing buckets of the CubeFS deployment - otherwise the request would be rejected before it reached the
vulnerable code. As such, the most likely attacker is an inside user or an attacker that has breached the
account of an existing user in the cluster. The issue has been patched in v3.3.1. There is no other
mitigation besides upgrading. (CVE-2023-46738)

See Also

https://github.com/advisories/GHSA-qc6v-g3xw-grmx

Plugin Details

Severity: High

ID: 418045

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2023-46738

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.1

Threat Score: 4.9

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/3/2024

Vulnerability Publication Date: 1/3/2024

Reference Information

CVE: CVE-2023-46738

cwe: CWE-770