Impact

A vulnerability has been identified in the projections subsystem by the Event Store Ltd engineering team and a security release has been published for all LTS versions.

Only database instances that use custom projections are affected by this vulnerability.

User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the $admins group can access system streams by default.

The vulnerability is present in EventStoreDB versions v20 through v23. Each affected LTS release is receiving a patch with the fix, regardless of its current support status.

Recommended Action

1. Upgrade EventStoreDB: Event Store Cloud customers follow the instructions in the cloud upgrade guide. Otherwise follow the instructions in the standard upgrade guide.
2. Reset the passwords for current and previous members of $admins and $ops groups.
3. If a password was reused in any other system, reset it in those systems to a unique password to follow best practices.

Patches

This patch is to be applied to the following releases (you can also read more about our versioning strategy):

• Update ESDB 23.10.x to ESDB 23.10.1
• Update ESDB 22.10.x to ESDB 22.10.5
• Update ESDB 21.10.x to ESDB 21.10.11
• Update ESDB 20.10.x to ESDB 20.10.6

Workarounds

If an upgrade cannot be done immediately, reset the passwords for current and previous members of $admins and $ops groups.
Avoid creating custom projections until the patch has been applied.

References

EventStoreDB Security Release: 23.10, 22.10, 21.10 and 20.10 For CVE-2024-26133