CVE-2023-4640 MEDIUM

CVE-2023-4640: Set Logging Level Without Authentication

Vendor Yugabytedb
Product Anywhere
Weakness CWE-284
Published August 30, 2023
Last update October 1, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The controller responsible for setting the logging level does not include any authorization checks to ensure the user is authenticated. This can be seen by noting that it extends Controller rather than AuthenticatedController and includes no further checks. This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3

Key dates

02Disclosure timeline

August 30, 2023 CVE published
October 1, 2024 Record updated