管理员可以通过手动 PUT 请求提升权限至 SuperAdmin

Successful exploitation of CVE-2024-6908 could grant an attacker full SuperAdmin privileges within the YugabyteDB Anywhere environment. This level of access allows for unauthorized modification of system configurations, access to sensitive data, and potentially complete control over the database cluster. An attacker could leverage this to exfiltrate data, disrupt operations, or even compromise the underlying infrastructure. The blast radius extends to any data stored within the YugabyteDB Anywhere cluster, and the potential for lateral movement depends on the broader network architecture and access controls.

Organizations utilizing YugabyteDB Anywhere in production environments, particularly those with administrative users who have broad privileges, are at risk. This includes deployments where access controls are not strictly enforced and where the principle of least privilege is not consistently applied. Shared hosting environments utilizing YugabyteDB Anywhere may also be vulnerable if administrative accounts are not properly isolated.

1. 2024-07-19Disclosure

   disclosure

1. 已保留2024-07-18
2. 发布日期2024-07-19
3. 修改日期2024-08-01
4. EPSS 更新日期2026-04-02

The primary mitigation for CVE-2024-6908 is to upgrade YugabyteDB Anywhere to version 2.20.3.0 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing stricter access controls and limiting the privileges of administrative users. Review existing user roles and permissions to ensure the principle of least privilege is enforced. While a direct workaround is unavailable, carefully auditing HTTP requests and implementing input validation on PUT requests can help reduce the attack surface. After upgrading, verify the integrity of the system by reviewing user roles and permissions and confirming that no unauthorized SuperAdmin accounts exist.