CVE-2020-10750

Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials.

CVSS v3 7.1 HIGH
CVSS v2.0 2.1 LOW

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750	Issue Tracking Patch Third Party Advisory
https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1	Release Notes Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750	Issue Tracking Patch Third Party Advisory
https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1	Release Notes Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxfoundation:jaeger:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:55

Type	Values Removed	Values Added
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750 - Issue Tracking, Patch, Third Party Advisory~~	() https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750 - Issue Tracking, Patch, Third Party Advisory
References	~~() https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1 - Release Notes, Third Party Advisory~~	() https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1 - Release Notes, Third Party Advisory
CVSS	v2 : ~~2.1~~ v3 : ~~5.5~~	v2 : 2.1 v3 : 7.1

Information

Published : 2020-06-19 20:15

Updated : 2024-11-21 04:55

NVD link : CVE-2020-10750

Mitre link : CVE-2020-10750

CVE.ORG link : CVE-2020-10750

JSON object : View

Products Affected

linuxfoundation

jaeger

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2020-10750", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2020-06-19T20:15:12.867", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1", "tags": ["Release Notes", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1", "tags": ["Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-532"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials."}, {"lang": "es", "value": "Una informaci\u00f3n confidencial escrita en una vulnerabilidad de archivo de registro se encontr\u00f3 en jaegertracing/jaeger versiones anteriores a 1.18.1, cuando el almac\u00e9n de datos de Kafka es usado. Este fallo permite a un atacante con acceso al archivo de registro del contenedor detecte las credenciales de Kafka"}], "lastModified": "2024-11-21T04:55:59.463", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:jaeger:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F22DAA95-1F23-42D1-ADB2-57768C81A4C2", "versionEndExcluding": "1.18.1"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}