02/21/24 - 9:00 AM EST
EventStoreDB has published a security release on February 21, 2024, US Eastern time (EST).
The Event Store Ltd engineering team has discovered an information security vulnerability in EventStoreDB, CVE-2024-26133. The vulnerability affects EventStoreDB instances using custom projections.
The vulnerability is fixed in versions 23.10.1, 22.10.5, 21.10.11, and 20.10.6.
Further details about the vulnerability including affected versions and detailed instructions for the security release can be found at release notes.
Event Store is committed to providing its customers with the highest level of security and takes all security issues seriously. Our team is currently working with our customers to ensure they can apply the patch as soon as possible. For open-source users that run into any issues with the update, please reach out to us for assistance – we’re actively monitoring our Discord server for any issues, or you can email us directly at support@eventstore.freshdesk.com.