Filtered by vendor Yugabyte
Subscriptions
Filtered by product Yugabytedb
Subscriptions
Total
11 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8865 | 1 Yugabyte | 1 Yugabytedb | 2025-08-12 | 2.0 Low |
| The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service. | ||||
| CVE-2025-8866 | 1 Yugabyte | 1 Yugabytedb | 2025-08-12 | 5.3 Medium |
| YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records. | ||||
| CVE-2025-8864 | 1 Yugabyte | 1 Yugabytedb | 2025-08-12 | 3.5 Low |
| Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs | ||||
| CVE-2025-8863 | 1 Yugabyte | 1 Yugabytedb | 2025-08-12 | 3.7 Low |
| YugabyteDB diagnostic information was transmitted over HTTP, which could expose sensitive data during transmission | ||||
| CVE-2025-8862 | 1 Yugabyte | 1 Yugabytedb | 2025-08-12 | 3.1 Low |
| YugabyteDB has been collecting diagnostics information from YugabyteDB servers, which may include sensitive gflag configurations. To mitigate this, we recommend upgrading the database to a version where this information is properly redacted. | ||||
| CVE-2024-41435 | 1 Yugabyte | 1 Yugabytedb | 2025-07-03 | 7.5 High |
| YugabyteDB v2.21.1.0 was discovered to contain a buffer overflow via the "insert into" parameter. | ||||
| CVE-2023-0575 | 4 Apple, Linux, Microsoft and 1 more | 5 Iphone Os, Macos, Linux Kernel and 2 more | 2025-03-24 | 7.2 High |
| External Control of Critical State Data, Improper Control of Generation of Code ('Code Injection') vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse. This vulnerability is associated with program files backup.Py. This issue affects Yugabyte DB: Lesser then 2.2.0.0 | ||||
| CVE-2023-6002 | 1 Yugabyte | 1 Yugabytedb | 2024-11-21 | 6.5 Medium |
| YugabyteDB is vulnerable to cross site scripting (XSS) via log injection. Writing invalidated user input to log files can allow an unprivileged attacker to forge log entries or inject malicious content into the logs. | ||||
| CVE-2023-6001 | 1 Yugabyte | 1 Yugabytedb | 2024-11-21 | 5.3 Medium |
| Prometheus metrics are available without authentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment. | ||||
| CVE-2023-4640 | 1 Yugabyte | 1 Yugabytedb | 2024-11-21 | 6.5 Medium |
| The controller responsible for setting the logging level does not include any authorization checks to ensure the user is authenticated. This can be seen by noting that it extends Controller rather than AuthenticatedController and includes no further checks. This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3 | ||||
| CVE-2022-37397 | 1 Yugabyte | 1 Yugabytedb | 2024-11-21 | 8.3 High |
| An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password. | ||||
Page 1 of 1.