Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13eDhxLTRnbTktcmoyZ84AA6B0
Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime
Impact
OS command injection vulnerability within the Fluid project's JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data.
Patches
For users who're using version < 0.9.3 with JuicefsRuntime, upgrade to v0.9.3.
References
Are there any links users can visit to find out more?
Credits
Special thanks to the discovers of this issue:
Xiaozheng Zhang [email protected]
Permalink: https://github.com/advisories/GHSA-wx8q-4gm9-rj2gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13eDhxLTRnbTktcmoyZ84AA6B0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 4.0
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-wx8q-4gm9-rj2g, CVE-2023-51699
References:
- https://github.com/fluid-cloudnative/fluid/security/advisories/GHSA-wx8q-4gm9-rj2g
- https://github.com/fluid-cloudnative/fluid/commit/02b7cd8b79a26092df95d625664994bda485c722
- https://nvd.nist.gov/vuln/detail/CVE-2023-51699
- https://github.com/fluid-cloudnative/fluid/commit/e0184cff8790ad000c3e8943392c7f544fad7d66
- https://github.com/advisories/GHSA-wx8q-4gm9-rj2g
Blast Radius: 1.9
Affected Packages
go:github.com/fluid-cloudnative/fluid
Dependent packages: 4Dependent repositories: 3
Downloads:
Affected Version Ranges: < 0.9.3
Fixed in: 0.9.3
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.9.0, 0.9.1, 0.9.2
All unaffected versions: 0.9.3