SCA: security update for github.com/cubefs/cubefs (GHSA-4248-p65p-hcrm)

high Tenable Self-Hosted Container Security Plugin ID 409803

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure
random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS
deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a
user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive
information for the user called the “accessKey”. To create the "accesKey", CubeFS uses an insecure string
generator which makes it easy to guess and thereby impersonate the created user. An attacker could
leverage the predictable random string generator and guess a users access key and impersonate the user to
obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to
upgrade. (CVE-2023-46740)

See Also

https://github.com/advisories/GHSA-4248-p65p-hcrm

Plugin Details

Severity: High

ID: 409803

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-46740

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.2

Threat Score: 4.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/3/2024

Vulnerability Publication Date: 1/3/2024

Reference Information

CVE: CVE-2023-46740

cwe: CWE-330