CVE-2025-8866
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-11

Last updated on: 2025-08-11

Assigner: Yugabyte, Inc.

Description
YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-11
Last Modified
2025-08-11
Generated
2026-05-07
AI Q&A
2025-08-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8866
EUVD
EUVD-2025-24153
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yugabyte yugabytedb_anywhere 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in YugabyteDB Anywhere web server occurs because it does not properly enforce authentication for the /metamaster/universe API endpoint. As a result, an unauthenticated attacker can exploit this flaw to access server networking configuration details, including private and public IP addresses and DNS records.


How can this vulnerability impact me? :

The impact of this vulnerability is that an attacker without authentication can obtain sensitive networking configuration information of the server, such as private and public IP addresses and DNS records. This information disclosure could aid attackers in further attacks or reconnaissance activities against the affected system or network.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart