CVE-2024-26133

EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version	Product
https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10	Release Notes
https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf	Patch
https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684	Vendor Advisory
https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133	Broken Link
https://www.eventstore.com/blog/new-version-strategy	Broken Link
https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version	Product
https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10	Release Notes
https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf	Patch
https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684	Vendor Advisory
https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133	Broken Link
https://www.eventstore.com/blog/new-version-strategy	Broken Link

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:kurrent:eventstoredb:::::open-source:::*
	cpe:2.3:a:kurrent:eventstoredb:::::open-source:::*
	cpe:2.3:a:kurrent:eventstoredb:::::open-source:::*
	cpe:2.3:a:kurrent:eventstoredb:::::open-source:::*

History

04 Feb 2025, 15:07

Type	Values Removed	Values Added
First Time		Kurrent Kurrent eventstoredb
References	~~() https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version -~~	() https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version - Product
References	~~() https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10 -~~	() https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10 - Release Notes
References	~~() https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf -~~	() https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf - Patch
References	~~() https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684 -~~	() https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684 - Vendor Advisory
References	~~() https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133 -~~	() https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133 - Broken Link
References	~~() https://www.eventstore.com/blog/new-version-strategy -~~	() https://www.eventstore.com/blog/new-version-strategy - Broken Link
CPE		cpe:2.3:a:kurrent:eventstoredb:::::open-source:::*
CWE		CWE-522

21 Nov 2024, 09:02

Type	Values Removed	Values Added
References	~~() https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version -~~	() https://developers.eventstore.com/cloud/ops/#upgrading-eventstoredb-version -
References	~~() https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10 -~~	() https://developers.eventstore.com/server/v22.10/upgrade-guide.html#upgrade-guide-for-eventstoredb-22-10 -
References	~~() https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf -~~	() https://github.com/EventStore/EventStore/commit/6d4edee18c7fe886abffe58fa1f97d72681b24bf -
References	~~() https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684 -~~	() https://github.com/EventStore/EventStore/security/advisories/GHSA-6r53-v8hj-x684 -
References	~~() https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133 -~~	() https://www.eventstore.com/blog/eventstoredb-security-release-23.10-22.10-21.10-and-20.10-for-cve-2024-26133 -
References	~~() https://www.eventstore.com/blog/new-version-strategy -~~	() https://www.eventstore.com/blog/new-version-strategy -

22 Feb 2024, 19:07

Type	Values Removed	Values Added
Summary		(es) EventStoreDB (ESDB) es una base de datos operativa creada para almacenar eventos. Se ha identificado una vulnerabilidad en el subsistema de proyecciones en las versiones 20 anteriores a la 20.10.6, 21 anteriores a la 21.10.11, 22 anteriores a la 22.10.5 y 23 anteriores a la 23.10.1. Esta vulnerabilidad solo afecta las instancias de bases de datos que utilizan proyecciones personalizadas. Las contraseñas de usuario pueden volverse accesibles para aquellos que tienen acceso a los archivos fragmentados en el disco y para los usuarios que tienen acceso de lectura a las secuencias del sistema. Solo los usuarios del grupo `$admins` pueden acceder a las transmisiones del sistema de forma predeterminada. ESDB 23.10.1, 22.10.5, 21.10.11 y 20.10.6 contienen un parche para este problema. Los usuarios deben actualizar EventStoreDB, restablecer las contraseñas de los miembros actuales y anteriores de los grupos `$admins` y `$ops` y, si se reutilizó una contraseña en cualquier otro sistema, restablecerla en esos sistemas a una contraseña única para seguir las mejores prácticas. Si no se puede realizar una actualización de inmediato, restablezca las contraseñas de los miembros actuales y anteriores de los grupos `$admins` y `$ops`. Evite crear proyecciones personalizadas hasta que se haya aplicado el parche.

21 Feb 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-21 17:15

Updated : 2025-02-04 15:07

NVD link : CVE-2024-26133

Mitre link : CVE-2024-26133

CVE.ORG link : CVE-2024-26133

JSON object : View

Products Affected

kurrent

eventstoredb

CWE

CWE-256

Plaintext Storage of a Password

CWE-522

Insufficiently Protected Credentials

5.5 /10