CVE-2024-26133

Summary

CVE-2024-26133 is a vulnerability affecting EventStoreDB versions 20.10.5 and below, 21.10.11 and below, 22.10.5 and below, and 23.10.1 and below. This issue, which resides in the projections subsystem, puts user passwords at risk when custom projections are used. Those with access to the chunk files on disk and to system streams can potentially gain access to these passwords. Only users in the `$admins` group can access system streams by default. EventStoreDB has released patches for versions 23.10.1, 22.10.5, 21.10.11, and 20.10.6 to address this vulnerability. It is recommended that users upgrade their EventStoreDB instances, reset the passwords for current and previous members of `$admins` and `$ops` groups, and follow best practices by using unique passwords across systems. If an immediate upgrade is not possible, users should reset the passwords for current and previous members of these groups. Until the patch is applied, custom projections should be avoided.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.