Dgraph Audit Log Encryption Vulnerability
Description
Credits
-
HakuPiku Reporter
-
joshua-goldstein Remediation developer
-
skrdgraph Remediation reviewer
HakuPiku
Reporter
joshua-goldstein
Remediation developer
skrdgraph
Remediation reviewer
Impact
Existing Dgraph audit logs are vulnerable to brute force attacks due to nonce collisions. All audit logs generated by versions of Dgraph <v23.0.0 are affected.
Patches
This issue was patched in #8323. Dgraph users should upgrade to v23.0.0.
Workarounds
Store existing audit logs in a secure location. For extra security, encrypt using a tool like
gpg.References
See #8323 for more context on the vulnerability.