Vulnerability Details CVE-2023-51699
Fluid is an open source Kubernetes-native Distributed Dataset Orchestrator and Accelerator for data-intensive applications. An OS command injection vulnerability within the Fluid project's JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data. Users who're using versions < 0.9.3 with JuicefsRuntime should upgrade to v0.9.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 15.7%
CVSS Severity
CVSS v3 Score 4.0
References
- https://github.com/fluid-cloudnative/fluid/commit/e0184cff8790ad000c3e8943392c7f544fad7d66
- https://github.com/fluid-cloudnative/fluid/security/advisories/GHSA-wx8q-4gm9-rj2g
- https://github.com/fluid-cloudnative/fluid/commit/e0184cff8790ad000c3e8943392c7f544fad7d66
- https://github.com/fluid-cloudnative/fluid/security/advisories/GHSA-wx8q-4gm9-rj2g
Products affected by CVE-2023-51699
-
cpe:2.3:a:linuxfoundation:fluid:0.1.0
-
cpe:2.3:a:linuxfoundation:fluid:0.2.0
-
cpe:2.3:a:linuxfoundation:fluid:0.3.0
-
cpe:2.3:a:linuxfoundation:fluid:0.4.0
-
cpe:2.3:a:linuxfoundation:fluid:0.5.0
-
cpe:2.3:a:linuxfoundation:fluid:0.6.0
-
cpe:2.3:a:linuxfoundation:fluid:0.7.0
-
cpe:2.3:a:linuxfoundation:fluid:0.8.0
-
cpe:2.3:a:linuxfoundation:fluid:0.8.1
-
cpe:2.3:a:linuxfoundation:fluid:0.8.2
-
cpe:2.3:a:linuxfoundation:fluid:0.8.3
-
cpe:2.3:a:linuxfoundation:fluid:0.8.4
-
cpe:2.3:a:linuxfoundation:fluid:0.8.5
-
cpe:2.3:a:linuxfoundation:fluid:0.8.6
-
cpe:2.3:a:linuxfoundation:fluid:0.9.0
-
cpe:2.3:a:linuxfoundation:fluid:0.9.1
-
cpe:2.3:a:linuxfoundation:fluid:0.9.2