CVE-2025-8866

YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records.

CVSS

No CVSS.

References

Link	Resource
https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/

Configurations

No configuration.

History

No history.

Information

Published : 2025-08-11 17:15

Updated : 2025-08-11 18:32

NVD link : CVE-2025-8866

Mitre link : CVE-2025-8866

CVE.ORG link : CVE-2025-8866

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2025-8866", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@yugabyte.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "CLEAR", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-11T17:15:27.557", "references": [{"url": "https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/", "source": "security@yugabyte.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@yugabyte.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records."}, {"lang": "es", "value": "El servidor web YugabyteDB Anywhere no aplica correctamente la autenticaci\u00f3n para el endpoint de la API /metamaster/universe. Un atacante no autenticado podr\u00eda explotar esta vulnerabilidad para obtener informaci\u00f3n de configuraci\u00f3n de red del servidor, incluyendo direcciones IP privadas y p\u00fablicas, y registros DNS."}], "lastModified": "2025-08-11T18:32:48.867", "sourceIdentifier": "security@yugabyte.com"}

CVE-2025-8866

JSON object

Attach tags to CVE-2025-8866

Attach tags to `CVE-2025-8866`