Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS13eDhxLTRnbTktcmoyZ84AA6B0

Moderate EPSS: 0.00069% (0.21241 Percentile) EPSS:
Permalink JSON

Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime

Affected Packages Affected Versions Fixed Versions
go:github.com/fluid-cloudnative/fluid
PURL: pkg:go/github.com%2Ffluid-cloudnative%2Ffluid
< 0.9.3 0.9.3
4 Dependent packages
3 Dependent repositories

Affected Version Ranges

All affected versions

v0.1.0, v0.2.0, v0.3.0, v0.4.0, v0.5.0, v0.6.0, v0.7.0, v0.8.0, v0.8.1, v0.8.2, v0.8.3, v0.8.4, v0.8.5, v0.8.6, v0.8.7, v0.9.0, v0.9.1, v0.9.2

All unaffected versions

v0.9.3, v1.0.0, v1.0.1, v1.0.2, v1.0.3, v1.0.4, v1.0.5, v1.0.6, v1.0.7, v1.0.8

Impact

OS command injection vulnerability within the Fluid project's JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data.

Patches

For users who're using version < 0.9.3 with JuicefsRuntime, upgrade to v0.9.3.

References

Are there any links users can visit to find out more?

Credits

Special thanks to the discovers of this issue:

Xiaozheng Zhang xiaozheng_zhang@outlook.com

References:

Identifiers

GHSA-wx8q-4gm9-rj2g

CVE-2023-51699

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00069

EPSS Percentile: 0.21241

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/fluid-cloudnative/fluid

Date and time

Published

over 1 year ago

Updated

21 days ago

API

JSON