CVE-2023-51699: Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime

March 15, 2024

Impact

OS command injection vulnerability within the Fluid project’s JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data.

Patches

For users who’re using version < 0.9.3 with JuicefsRuntime， upgrade to v0.9.3.

References

Are there any links users can visit to find out more?

Credits

Special thanks to the discovers of this issue:

Xiaozheng Zhang xiaozheng_zhang@outlook.com

References

github.com/advisories/GHSA-wx8q-4gm9-rj2g
github.com/fluid-cloudnative/fluid
github.com/fluid-cloudnative/fluid/commit/02b7cd8b79a26092df95d625664994bda485c722
github.com/fluid-cloudnative/fluid/security/advisories/GHSA-wx8q-4gm9-rj2g
nvd.nist.gov/vuln/detail/CVE-2023-51699

Detect and mitigate CVE-2023-51699 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →