Insecure random string generator used for sensitive data
Description
CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the “accessKey”. To create the "accesKey", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. An attacker could leverage the predictable random string generator and guess a users access key and impersonate the user to obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to upgrade.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CubeFS <v3.3.1 uses a predictable random string generator for user access keys, enabling attackers to guess keys and impersonate users.
Vulnerability
Description
CubeFS, an open-source cloud-native file storage system, prior to version 3.3.1 used an insecure random string generator to create user-specific 'accessKey' values. These keys are critical for user authentication and authorization within a CubeFS deployment. The flawed generator produces predictable strings, making it feasible for an attacker to guess or predict the accessKey of a legitimate user [1][3].
Exploitation
An attacker with knowledge of the weak random generator and possibly some observable patterns (e.g., timing of user creation) could predict the generated accessKey. No additional authentication is required beyond being able to target a CubeFS endpoint. The guesswork does not require prior access; the attacker can attempt to impersonate any user whose key they can predict [1][3].
Impact
Successful prediction of an accessKey allows the attacker to impersonate the targeted user, thereby gaining that user's privileges. This could lead to unauthorized access to stored data, file operations, or administrative actions, depending on the compromised user's permissions [1][3].
Mitigation
The issue is fixed in CubeFS version 3.3.1, which replaces the insecure generator with a cryptographically secure random number generator [3][4]. Users must upgrade to v3.3.1 or later; no other mitigation exists. There is no evidence of exploitation in the wild, as the vulnerability was identified during a security audit by Ada Logics, OSTIF, and the CNCF [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cubefs/cubefsGo | < 3.3.1 | 3.3.1 |
Affected products
3- cubefs/cubefsv5Range: < 3.3.1
Patches
18555c6402794[Enhancement]: Optimize insecure random number generation in function util/string.go:RandomString
3 files changed · +9 −6
proto/packet.go+2 −0 modified@@ -596,6 +596,8 @@ func (p *Packet) GetOpMsg() (m string) { m = "OpLcNodeScan" case OpLcNodeSnapshotVerDel: m = "OpLcNodeSnapshotVerDel" + case OpMetaReadDirOnly: + m = "OpMetaReadDirOnly" default: m = fmt.Sprintf("op:%v not found", p.Opcode) }
sdk/data/stream/stream_writer.go+2 −1 modified@@ -395,7 +395,8 @@ begin: } } // try append write, get response - log.LogDebugf("action[streamer.write] doAppendWrite req %v FileOffset %v size %v", req.ExtentKey, req.FileOffset, req.Size) + log.LogDebugf("action[streamer.write] doAppendWrite req: ExtentKey(%v) FileOffset(%v) size(%v)", + req.ExtentKey, req.FileOffset, req.Size) var status int32 // First, attempt sequential writes using neighboring extent keys. If the last extent has a different version, // it indicates that the extent may have been fully utilized by the previous version.
util/string.go+5 −5 modified@@ -15,9 +15,9 @@ package util import ( - "math/rand" + "crypto/rand" + "math/big" "strings" - "time" ) func SubString(sourceString string, begin, end int) string { @@ -59,9 +59,9 @@ func RandomString(length int, seed RandomSeed) string { runs := seed.Runes() result := "" for i := 0; i < length; i++ { - rand.Seed(time.Now().UnixNano()) - randNumber := rand.Intn(len(runs)) - result += string(runs[randNumber]) + lenInt64 := int64(len(runs)) + randNumber, _ := rand.Int(rand.Reader, big.NewInt(lenInt64)) + result += string(runs[randNumber.Uint64()]) } return result }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-4248-p65p-hcrmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46740ghsaADVISORY
- github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07baghsax_refsource_MISCWEB
- github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.