CVE-2023-51699: Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime
(updated )
OS command injection vulnerability within the Fluid project’s JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data.
References
- github.com/advisories/GHSA-wx8q-4gm9-rj2g
- github.com/fluid-cloudnative/fluid
- github.com/fluid-cloudnative/fluid/commit/02b7cd8b79a26092df95d625664994bda485c722
- github.com/fluid-cloudnative/fluid/commit/e0184cff8790ad000c3e8943392c7f544fad7d66
- github.com/fluid-cloudnative/fluid/security/advisories/GHSA-wx8q-4gm9-rj2g
- nvd.nist.gov/vuln/detail/CVE-2023-51699
Code Behaviors & Features
Detect and mitigate CVE-2023-51699 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →