CVE-2024-6908: Privilege Escalation in YugabyteDB Anywhere
Platform
other
Component
yugabyte-db
Fixed in
2.14.18
2.16.10
2.18.7.0
2.20.3.0
CVE-2024-6908 describes a privilege escalation vulnerability discovered in YugabyteDB Anywhere. This flaw allows authenticated administrative users to elevate their privileges to SuperAdmin, potentially granting them complete control over the system. The vulnerability affects versions 2.14.0.0 through 2.20.3.0, and a fix is available in version 2.20.3.0.
Impact and Attack Scenarios
Successful exploitation of CVE-2024-6908 could grant an attacker full SuperAdmin privileges within the YugabyteDB Anywhere environment. This level of access allows for unauthorized modification of system configurations, access to sensitive data, and potentially complete control over the database cluster. An attacker could leverage this to exfiltrate data, disrupt operations, or even compromise the underlying infrastructure. The blast radius extends to any data stored within the YugabyteDB Anywhere cluster, and the potential for lateral movement depends on the broader network architecture and access controls.
Exploitation Context
CVE-2024-6908 was publicly disclosed on 2024-07-19. There is no indication of active exploitation campaigns or publicly available proof-of-concept code at this time. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation is likely dependent on the attacker's ability to craft a valid PUT request and authenticate as an administrative user.
Threat Intelligence
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2024-6908 is to upgrade YugabyteDB Anywhere to version 2.20.3.0 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing stricter access controls and limiting the privileges of administrative users. Review existing user roles and permissions to ensure the principle of least privilege is enforced. While a direct workaround is unavailable, carefully auditing HTTP requests and implementing input validation on PUT requests can help reduce the attack surface. After upgrading, verify the integrity of the system by reviewing user roles and permissions and confirming that no unauthorized SuperAdmin accounts exist.
How to fix
Actualice YugabyteDB Anywhere a la última versión disponible. Las versiones 2.14.18.0, 2.16.10.0, 2.18.7.0 y 2.20.3.0 o superiores contienen la corrección para esta vulnerabilidad. Esto evitará que usuarios administradores escalen sus privilegios a SuperAdmin mediante solicitudes HTTP manipuladas.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2024-6908 — Privilege Escalation in YugabyteDB Anywhere?
CVE-2024-6908 is a vulnerability in YugabyteDB Anywhere allowing authenticated admin users to escalate to SuperAdmin, potentially gaining full control. CVSS severity is pending evaluation.
Am I affected by CVE-2024-6908 in YugabyteDB Anywhere?
You are affected if you are running YugabyteDB Anywhere versions 2.14.0.0 through 2.20.3.0. Upgrade to 2.20.3.0 or later to mitigate the risk.
How do I fix CVE-2024-6908 in YugabyteDB Anywhere?
Upgrade YugabyteDB Anywhere to version 2.20.3.0 or later. If immediate upgrade is not possible, review and restrict administrative user privileges.
Is CVE-2024-6908 being actively exploited?
There is currently no evidence of active exploitation of CVE-2024-6908, but it's crucial to apply the patch promptly.
Where can I find the official YugabyteDB advisory for CVE-2024-6908?
Refer to the official YugabyteDB security advisory for detailed information and updates: [https://www.yugabyte.com/security/advisories/](https://www.yugabyte.com/security/advisories/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.