Platform
other
Component
yugabyte-db
Fixed in
2.14.18
2.16.10
2.18.7.0
2.20.3.0
CVE-2024-6908 describes a privilege escalation vulnerability discovered in YugabyteDB Anywhere. This flaw allows authenticated administrative users to elevate their privileges to SuperAdmin, potentially granting them complete control over the system. The vulnerability affects versions 2.14.0.0 through 2.20.3.0, and a fix is available in version 2.20.3.0.
Successful exploitation of CVE-2024-6908 could grant an attacker full SuperAdmin privileges within the YugabyteDB Anywhere environment. This level of access allows for unauthorized modification of system configurations, access to sensitive data, and potentially complete control over the database cluster. An attacker could leverage this to exfiltrate data, disrupt operations, or even compromise the underlying infrastructure. The blast radius extends to any data stored within the YugabyteDB Anywhere cluster, and the potential for lateral movement depends on the broader network architecture and access controls.
CVE-2024-6908 was publicly disclosed on 2024-07-19. There is no indication of active exploitation campaigns or publicly available proof-of-concept code at this time. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation is likely dependent on the attacker's ability to craft a valid PUT request and authenticate as an administrative user.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
The primary mitigation for CVE-2024-6908 is to upgrade YugabyteDB Anywhere to version 2.20.3.0 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing stricter access controls and limiting the privileges of administrative users. Review existing user roles and permissions to ensure the principle of least privilege is enforced. While a direct workaround is unavailable, carefully auditing HTTP requests and implementing input validation on PUT requests can help reduce the attack surface. After upgrading, verify the integrity of the system by reviewing user roles and permissions and confirming that no unauthorized SuperAdmin accounts exist.
Actualice YugabyteDB Anywhere a la última versión disponible. Las versiones 2.14.18.0, 2.16.10.0, 2.18.7.0 y 2.20.3.0 o superiores contienen la corrección para esta vulnerabilidad. Esto evitará que usuarios administradores escalen sus privilegios a SuperAdmin mediante solicitudes HTTP manipuladas.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6908 is a vulnerability in YugabyteDB Anywhere allowing authenticated admin users to escalate to SuperAdmin, potentially gaining full control. CVSS severity is pending evaluation.
You are affected if you are running YugabyteDB Anywhere versions 2.14.0.0 through 2.20.3.0. Upgrade to 2.20.3.0 or later to mitigate the risk.
Upgrade YugabyteDB Anywhere to version 2.20.3.0 or later. If immediate upgrade is not possible, review and restrict administrative user privileges.
There is currently no evidence of active exploitation of CVE-2024-6908, but it's crucial to apply the patch promptly.
Refer to the official YugabyteDB security advisory for detailed information and updates: [https://www.yugabyte.com/security/advisories/](https://www.yugabyte.com/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.