Unauthenticated Access to Logging Level Controller in YugabyteDB Anywhere (Versions 2.0.0 - 2.17.3)

Unauthenticated Access to Logging Level Controller in YugabyteDB Anywhere (Versions 2.0.0 - 2.17.3)

CVE-2023-4640 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

The controller responsible for setting the logging level does not include any authorization checks to ensure the user is authenticated. This can be seen by noting that it extends Controller rather than AuthenticatedController and includes no further checks. This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3

Learn more about our User Device Pen Test.