2.20.3.0
CVE-2024-6908 describes a privilege escalation vulnerability discovered in YugabyteDB Anywhere. This flaw allows authenticated administrative users to elevate their privileges to SuperAdmin, potentially granting them complete control over the system. The vulnerability affects versions 2.14.0.0 through 2.20.3.0, and a fix is available in version 2.20.3.0.
Successful exploitation of CVE-2024-6908 could grant an attacker full SuperAdmin privileges within the YugabyteDB Anywhere environment. This level of access allows for unauthorized modification of system configurations, access to sensitive data, and potentially complete control over the database cluster. An attacker could leverage this to exfiltrate data, disrupt operations, or even compromise the underlying infrastructure. The blast radius extends to any data stored within the YugabyteDB Anywhere cluster, and the potential for lateral movement depends on the broader network architecture and access controls.
CVE-2024-6908 was publicly disclosed on 2024-07-19. There is no indication of active exploitation campaigns or publicly available proof-of-concept code at this time. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation is likely dependent on the attacker's ability to craft a valid PUT request and authenticate as an administrative user.
Organizations utilizing YugabyteDB Anywhere in production environments, particularly those with administrative users who have broad privileges, are at risk. This includes deployments where access controls are not strictly enforced and where the principle of least privilege is not consistently applied. Shared hosting environments utilizing YugabyteDB Anywhere may also be vulnerable if administrative accounts are not properly isolated.
disclosure
漏洞利用状态
EPSS
0.05% (16% 百分位)
CISA SSVC
The primary mitigation for CVE-2024-6908 is to upgrade YugabyteDB Anywhere to version 2.20.3.0 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing stricter access controls and limiting the privileges of administrative users. Review existing user roles and permissions to ensure the principle of least privilege is enforced. While a direct workaround is unavailable, carefully auditing HTTP requests and implementing input validation on PUT requests can help reduce the attack surface. After upgrading, verify the integrity of the system by reviewing user roles and permissions and confirming that no unauthorized SuperAdmin accounts exist.
Actualice YugabyteDB Anywhere a la última versión disponible. Las versiones 2.14.18.0, 2.16.10.0, 2.18.7.0 y 2.20.3.0 o superiores contienen la corrección para esta vulnerabilidad. Esto evitará que usuarios administradores escalen sus privilegios a SuperAdmin mediante solicitudes HTTP manipuladas.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-6908 is a vulnerability in YugabyteDB Anywhere allowing authenticated admin users to escalate to SuperAdmin, potentially gaining full control. CVSS severity is pending evaluation.
You are affected if you are running YugabyteDB Anywhere versions 2.14.0.0 through 2.20.3.0. Upgrade to 2.20.3.0 or later to mitigate the risk.
Upgrade YugabyteDB Anywhere to version 2.20.3.0 or later. If immediate upgrade is not possible, review and restrict administrative user privileges.
There is currently no evidence of active exploitation of CVE-2024-6908, but it's crucial to apply the patch promptly.
Refer to the official YugabyteDB security advisory for detailed information and updates: [https://www.yugabyte.com/security/advisories/](https://www.yugabyte.com/security/advisories/)