Vulnerability disclosure policy

An important part of Yugabyte's strategy for building a secure platform for our users is vulnerability reporting. We value working with the broader security research community and understand that fostering that relationship will help Yugabyte improve its own security posture. We take vulnerabilities very seriously regardless of source, and strongly encourage people to report security vulnerabilities privately to our security team before disclosing them in a public forum. Our goal is to surface vulnerabilities and resolve them privately before they can be exploited.

Our commitment

  1. In scope We commit to investigate and address any reported issues, and request that you use the following process for the reporting of security vulnerabilities in the following products:

    • YugabyteDB
    • YugabyteDB Anywhere
  2. Out of Scope

    • Customer applications backed by YugabyteDB are out of scope. We suggest that you report such vulnerabilities to the owner of the application, and we will do the same when possible.
    • Third party dependencies. This policy does not cover vulnerabilities discovered in information systems owned by third party entities. If any such vulnerabilities are identified, they should be reported directly to the vendor, in accordance with their disclosure policy.
  3. We will keep all information you provide to us confidential.

  4. We assure you that we will not initiate legal action against researchers who are acting in good faith and adhering to this process.

The process

  1. Report the Concern. If you have any security concerns or would like to report undisclosed security vulnerabilities in our products or services, please email us at security@yugabyte.com. Note that we do not accept bug reports at this address.

  2. Include Details. Please provide as much information as you can about the potential vulnerability, including but not limited to the following:

    • Detailed summary of the vulnerability.
    • Attack surface (for example, URL and parameters).
    • Potential weakness (for example, brute force, SQL injection).
    • Tools used to exploit the potential vulnerability (for example, operating system configuration and browser).
    • Proof of concept of how the vulnerability can be exploited (for example, sample code and steps to reproduce the vulnerability).
    • Severity level (for example, low-medium-high-critical, or use the CVSS 3.1 score estimation tool).
    • Any plans for public disclosure.
    • Preferably, send a plain-text email for each vulnerability you are reporting.
  3. Vulnerabilities in Other Open Source Projects. We incorporate software from other open source projects, and welcome vulnerability reports for those. However, you should also report those vulnerabilities directly to the affected project.

  4. Use Common Sense. Please use common sense when looking for security issues with our products. Attacking or compromising Yugabyte users' installations, or attacks on our infrastructure are not permitted.

Next steps

  1. We will promptly investigate any reported issue. In certain cases, we may work privately with you to resolve the vulnerability. We may choose not to disclose information publicly while we investigate and mitigate any risk.

  2. Upon validation and appropriate mitigation (if any) of the risk, we will alert affected customers, and add the CVE to the following list.

Security tracker: CVE list

Product Name Affected versions Fixed in Status
YugabyteDB CVE-2023-6001 from v2.0 through v2.18.3.0 v2.18.4.0 Resolved
YugabyteDB CVE-2023-6002 from v2.0 through v2.14.13.0, v2.16.7.0, and v2.18.3.0 v2.14.14.0, v2.16.8.0, v2.18.4.0 and later Resolved
YugabyteDB CVE-2023-4640 from v2.0 through v2.17.3.0 v2.17.4.0 Resolved
YugabyteDB CVE-2023-0745 from v2.0 through v2.13.0.0 v2.14.0.0 Resolved
YugabyteDB CVE-2023-0575 from v2.0 through v2.14.0.0 v2.15.0.0 Resolved
YugabyteDB CVE-2023-0574 from v2.0 through v2.13.0.0 v2.14.0.0 Resolved
YugabyteDB CVE-2022-37397 v2.6.1.0 v2.6.1.1 Resolved
YugabyteDB CVE-2024-0006 from v2.18.0.0 through v2.18.8.0,
from v2.20.0.0 through v2.20.2.2,
v2024.1.0.0
v2.18.9.0, v2.20.2.3, v2024.1.1.0 and later Resolved
YugabyteDB CVE-2024-6895 from v2.14.0.0 through v2.14.16.0,
from v2.16.0.0 through v2.16.8.0,
from v2.18.0.0 through v2.18.8.0,
from v2.20.0.0 through v2.20.4.0
v2.20.5.0 and later Resolved
YugabyteDB CVE-2024-6908 from v2.14.0.0 through v2.14.16.0,
from v2.16.0.0 through v2.16.8.0,
from v2.18.0.0 through v2.18.6.0,
from v2.20.0.0 through v2.20.2.0
v2.18.7.0, v2.20.3.0 and later Resolved

Note

Our release notes contain up-to-date information on security vulnerabilities and available patches.

Supply-chain vulnerabilities in YugabyteDB Postgres Query Layer (YSQL)

YugabyteDB relies on PostgreSQL, and the following CVEs have been addressed in the PostgreSQL code base.

Note that this policy covers only vulnerabilities in the query layer of PostgreSQL. Yugabyte does not publish or disclose any other third-party (supply chain) vulnerabilities. The focus is to ensure security and integrity of the PostgreSQL query layer.

Product Name Fixed in YugabyteDB version Status
PostgreSQL (YSQL) CVE-2019-10127 Not applicable: YugabyteDB only runs on Linux, this vulnerability is Windows-specific.
PostgreSQL (YSQL) CVE-2019-10128 Not applicable: YugabyteDB only runs on Linux, this vulnerability is Windows-specific.
PostgreSQL (YSQL) CVE-2019-10129 v2.7.1 Resolved
PostgreSQL (YSQL) CVE-2019-10130 v2.12.11.0, v2.14.3.0, v2.15.4.0 Resolved
PostgreSQL (YSQL) CVE-2019-10164 v2.12.11.0, v2.14.3.0, v2.15.3.0 Resolved
PostgreSQL (YSQL) CVE-2019-10208 v2.12.11.0, v2.14.3.0, v2.15.4.0 Resolved
PostgreSQL (YSQL) CVE-2019-10209 v2.12.11.0, v2.14.3.0, v2.15.4.0 Resolved
PostgreSQL (YSQL) CVE-2019-10210 Not applicable: YugabyteDB only runs on Linux, this vulnerability is Windows-specific.
PostgreSQL (YSQL) CVE-2019-10211 Not applicable: YugabyteDB only runs on Linux, this vulnerability is Windows-specific.
PostgreSQL (YSQL) CVE-2019-3466 Not applicable: pg_ctlcluster is not included in installation.
PostgreSQL (YSQL) CVE-2020-10733 Not applicable: YugabyteDB only runs on Linux, this vulnerability is Windows-specific.
PostgreSQL (YSQL) CVE-2020-14349 Not applicable: YugabyteDB does not use logical replication.
PostgreSQL (YSQL) CVE-2020-14350 v2.12.11.0, v2.14.5.0, v2.16.0.0, v2.17.1.0 Resolved
PostgreSQL (YSQL) CVE-2020-1720 Resolved
PostgreSQL (YSQL) CVE-2020-25694 v2.7.1 or later Resolved
PostgreSQL (YSQL) CVE-2020-25695 v2.12.0.0, v2.14.0.0 Resolved
PostgreSQL (YSQL) CVE-2020-25696 v2.12.11.0, v2.14.3.0, v2.15.4.0 Resolved
PostgreSQL (YSQL) CVE-2021-23214 v2.8.1.0, v2.6.7.0, v2.11.1.0 Resolved
PostgreSQL (YSQL) CVE-2021-23222 v2.8.1.0, v2.6.7.0, v2.11.1.0 Resolved
PostgreSQL (YSQL) CVE-2021-32027 v2.7.0.0 Resolved
PostgreSQL (YSQL) CVE-2021-32028 v2.7.2.0 Resolved
PostgreSQL (YSQL) CVE-2021-32029 v2.14.15.0, v2.18.6.0, v2.20.2.0, v2.21.1.0 Resolved
PostgreSQL (YSQL) CVE-2021-3393 v2.17.1.0 Resolved
PostgreSQL (YSQL) CVE-2021-3677 Resolved
PostgreSQL (YSQL) CVE-2021-43766 v2.12.0.0, v2.14.0.0 Resolved
PostgreSQL (YSQL) CVE-2021-43767 Resolved
PostgreSQL (YSQL) CVE-2022-1552 v2.12.0.0, v2.14.0.0, v2.15.1.0 Resolved
PostgreSQL (YSQL) CVE-2022-2625 v2.12.10.0, v2.14.2.0, v2.15.3.0 Resolved
PostgreSQL (YSQL) CVE-2023-2454 v2.18.1.0 Resolved
PostgreSQL (YSQL) CVE-2023-2455 v2.14.10.2, v2.16.5.0, v2.18.0.0, v2.20.0.0 Resolved
PostgreSQL (YSQL) CVE-2023-32305 Not applicable: aiven-extras is not included in installation.
PostgreSQL (YSQL) CVE-2023-39417 v2.20.1.0, v2.14.15.0, v2.16.9.0, v2.18.5.0 Resolved
PostgreSQL (YSQL) CVE-2023-5868 v2.14.17.x, v2.18.8.x, v2.20.6.x, v2.23.0.0, v2024.2 Resolved
PostgreSQL (YSQL) CVE-2023-5869 v2.14.17.x, v2.18.8.x, v2.20.6.x, v2.23.0.0, v2024.2 Resolved
PostgreSQL (YSQL) CVE-2023-5870 v2.14.17.x, v2.18.8.x, v2.20.6.x, v2.23.0.0, v2024.2 Resolved