Dgraph Audit Log Encryption Vulnerability

GHSA-92wq-q9pq-gw47 · CVE-2023-31135

Published May 17, 2023 · Modified Nov 8, 2023

Description

Impact

Existing Dgraph audit logs are vulnerable to brute force attacks due to nonce collisions. All audit logs generated by versions of Dgraph <v23.0.0 are affected.

Patches

This issue was patched in https://github.com/dgraph-io/dgraph/pull/8323. Dgraph users should upgrade to v23.0.0.

Workarounds

Store existing audit logs in a secure location. For extra security, encrypt using a tool like gpg.

References

See https://github.com/dgraph-io/dgraph/pull/8323 for more context on the vulnerability.

References

WEB https://github.com/dgraph-io/dgraph/security/advisories/GHSA-92wq-q9pq-gw47
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-31135
WEB https://github.com/dgraph-io/dgraph/pull/8323
WEB https://en.wikipedia.org/wiki/Cryptographic_nonce
PACKAGE https://github.com/dgraph-io/dgraph
WEB https://github.com/dgraph-io/dgraph/releases/tag/v23.0.0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes