Skip to content

Potential password leak in the EventStoreDB Projections Subsystem

High
hayley-jean published GHSA-6r53-v8hj-x684 Feb 21, 2024

Package

eventstore-oss

Affected versions

<=23.10.0
<=22.10.4
<=21.10.10
<=20.10.5

Patched versions

23.10.1
22.10.5
21.10.11
20.10.6

Description

Impact

A vulnerability has been identified in the projections subsystem by the Event Store Ltd engineering team and a security release has been published for all LTS versions.

Only database instances that use custom projections are affected by this vulnerability.

User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the $admins group can access system streams by default.

The vulnerability is present in EventStoreDB versions v20 through v23. Each affected LTS release is receiving a patch with the fix, regardless of its current support status.

Recommended Action

  1. Upgrade EventStoreDB: Event Store Cloud customers follow the instructions in the cloud upgrade guide. Otherwise follow the instructions in the standard upgrade guide.
  2. Reset the passwords for current and previous members of $admins and $ops groups.
  3. If a password was reused in any other system, reset it in those systems to a unique password to follow best practices.

Patches

This patch is to be applied to the following releases (you can also read more about our versioning strategy):

  • Update ESDB 23.10.x to ESDB 23.10.1
  • Update ESDB 22.10.x to ESDB 22.10.5
  • Update ESDB 21.10.x to ESDB 21.10.11
  • Update ESDB 20.10.x to ESDB 20.10.6

Workarounds

If an upgrade cannot be done immediately, reset the passwords for current and previous members of $admins and $ops groups.
Avoid creating custom projections until the patch has been applied.

References

EventStoreDB Security Release: 23.10, 22.10, 21.10 and 20.10 For CVE-2024-26133

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

CVE ID

CVE-2024-26133

Weaknesses

Plaintext Storage of a Password

Storing a password in plaintext may result in a system compromise. Learn more on MITRE.

Credits