VYPR
← All advisories
High severityNVD Advisory· Published Jan 3, 2024· Updated Jun 17, 2025

Timing attack can leak user passwords

CVE-2023-46739

Description

CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CubeFS master component uses raw string comparison for passwords, enabling a timing attack to steal credentials before v3.3.1.

Vulnerability

CubeFS, an open-source cloud-native distributed file system, contains a vulnerability in its master component's UserService [1]. The root cause is that the software performed raw string comparison of passwords during authentication [1]. This means the comparison returns as soon as a mismatched character is found, making the response time depend on how many initial characters match the attacker's guess [1].

Exploitation

A remote, untrusted attacker can exploit this by repeatedly sending authentication attempts with guessed passwords and measuring the server's response time [1]. The attacker does not need prior authentication or special network access beyond being able to reach the master component's API endpoint [1].

Impact

Successful timing analysis allows the attacker to recover a user's plaintext password character by character [1]. With the victim's password, the attacker can fully impersonate that user, gaining access to all resources and operations permitted to that account within the CubeFS cluster [1].

Mitigation

The vulnerability is fixed in CubeFS version 3.3.1 [1]. The fix, visible in two commits, replaces direct string comparison with a hash comparison using SHA-256, which executes in constant time regardless of input similarity [3][4]. There is no workaround available; impacted users must upgrade to v3.3.1 or later [1].

References
  1. NVD - CVE-2023-46739
  2. enhance(gapi):Timing attack can leak user passwords · cubefs/cubefs@c21d034
  3. enhance(gapi):Timing attack can leak user passwords · cubefs/cubefs@6a0d5fa

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/cubefs/cubefsGo
< 3.3.13.3.1

Affected products

3

Patches

2
6a0d5fa45a77

enhance(gapi):Timing attack can leak user passwords

https://github.com/cubefs/cubefsleonrayangNov 17, 2023via ghsa
commit
1 file changed · +8 1
  • master/gapi_user.go+8 1 modified
    @@ -2,6 +2,8 @@ package master
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"github.com/cubefs/cubefs/proto"
 	"github.com/cubefs/cubefs/util/log"
@@ -347,8 +349,13 @@ func (s *UserService) validatePassword(ctx context.Context, args struct {
 	if err != nil {
 		return nil, err
 	}
+	hashedPassword := sha256.Sum256([]byte(args.Password))
+	hashedPasswordStr := hex.EncodeToString(hashedPassword[:])
 
-	if ak.Password != args.Password {
+	hashedPassword_ := sha256.Sum256([]byte(ak.Password))
+	hashedPasswordStr_ := hex.EncodeToString(hashedPassword_[:])
+
+	if hashedPasswordStr != hashedPasswordStr_ {
 		log.LogWarnf("user:[%s] login pass word has err", args.UserID)
 		return nil, fmt.Errorf("user or password has err")
 	}
c21d034d2fcd

enhance(gapi):Timing attack can leak user passwords

https://github.com/cubefs/cubefsleonrayangNov 17, 2023via ghsa
commit
1 file changed · +8 1
  • master/gapi_user.go+8 1 modified
    @@ -2,6 +2,8 @@ package master
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"github.com/cubefs/cubefs/proto"
 	"github.com/cubefs/cubefs/util/log"
@@ -347,8 +349,13 @@ func (s *UserService) validatePassword(ctx context.Context, args struct {
 	if err != nil {
 		return nil, err
 	}
+	hashedPassword := sha256.Sum256([]byte(args.Password))
+	hashedPasswordStr := hex.EncodeToString(hashedPassword[:])
 
-	if ak.Password != args.Password {
+	hashedPassword_ := sha256.Sum256([]byte(ak.Password))
+	hashedPasswordStr_ := hex.EncodeToString(hashedPassword_[:])
+
+	if hashedPasswordStr != hashedPasswordStr_ {
 		log.LogWarnf("user:[%s] login pass word has err", args.UserID)
 		return nil, fmt.Errorf("user or password has err")
 	}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.