An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13eDhxLTRnbTktcmoyZ84AA6B0

Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime


OS command injection vulnerability within the Fluid project's JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data.


For users who're using version < 0.9.3 with JuicefsRuntime, upgrade to v0.9.3.


Are there any links users can visit to find out more?


Special thanks to the discovers of this issue:

Xiaozheng Zhang [email protected]

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 month ago
Updated: about 1 month ago

CVSS Score: 4.0
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

Identifiers: GHSA-wx8q-4gm9-rj2g, CVE-2023-51699
References: Repository:
Blast Radius: 1.9

Affected Packages
Dependent packages: 4
Dependent repositories: 3
Affected Version Ranges: < 0.9.3
Fixed in: 0.9.3
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.9.0, 0.9.1, 0.9.2
All unaffected versions: 0.9.3