Vulnerabilities > Yugabyte

DATE CVE VULNERABILITY TITLE RISK
2023-11-08 CVE-2023-6001 Missing Authorization vulnerability in Yugabyte Yugabytedb
Prometheus metrics are available without authentication.
network
low complexity
yugabyte CWE-862
7.5
2023-11-08 CVE-2023-6002 Cross-site Scripting vulnerability in Yugabyte Yugabytedb
YugabyteDB is vulnerable to cross site scripting (XSS) via log injection. Writing invalidated user input to log files can allow an unprivileged attacker to forge log entries or inject malicious content into the logs.
network
low complexity
yugabyte CWE-79
6.1
2023-08-30 CVE-2023-4640 Unspecified vulnerability in Yugabyte Yugabytedb
The controller responsible for setting the logging level does not include any authorization checks to ensure the user is authenticated.
network
low complexity
yugabyte
7.5
2023-02-09 CVE-2023-0575 Unspecified vulnerability in Yugabyte Yugabytedb
External Control of Critical State Data, Improper Control of Generation of Code ('Code Injection') vulnerability in YugaByte, Inc.
network
low complexity
yugabyte
critical
9.8
2023-02-09 CVE-2023-0745 Path Traversal vulnerability in Yugabyte Yugabytedb Managed
The High Availability functionality of Yugabyte Anywhere can be abused to write arbitrary files through the backup upload endpoint by using path traversal characters. This vulnerability is associated with program files PlatformReplicationManager.Java. This issue affects YugabyteDB Anywhere: from 2.0.0.0 through 2.13.0.0
network
low complexity
yugabyte CWE-22
critical
9.8
2023-02-09 CVE-2023-0574 Unspecified vulnerability in Yugabyte Yugabytedb Managed
Server-Side Request Forgery (SSRF), Improperly Controlled Modification of Dynamically-Determined Object Attributes, Improper Restriction of Excessive Authentication Attempts vulnerability in YugaByte, Inc.
network
low complexity
yugabyte
critical
9.8
2022-08-12 CVE-2022-37397 Improper Authentication vulnerability in Yugabyte Yugabytedb 2.6.1
An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory.
network
low complexity
yugabyte CWE-287
critical
9.8
2019-08-05 CVE-2019-3800 Information Exposure vulnerability in multiple products
CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag.
7.8