CVE-2020-25678

A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.

CVSS v3 4.4 MEDIUM
CVSS v2.0 2.1 LOW

4.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1892109	Issue Tracking Patch
https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/
https://security.gentoo.org/glsa/202105-39	Third Party Advisory
https://tracker.ceph.com/issues/37503	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:ceph::::::::
	cpe:2.3:a:redhat:ceph_storage:4.0:::::::*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

History

23 Oct 2023, 19:15

Type	Values Removed	Values Added
CWE	~~CWE-312~~
References		(MISC) https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html -

Information

Published : 2021-01-08 18:15

Updated : 2024-02-28 18:08

NVD link : CVE-2020-25678

Mitre link : CVE-2020-25678

CVE.ORG link : CVE-2020-25678

JSON object : View

Products Affected

fedoraproject

fedora

redhat

ceph
ceph_storage

CWE

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2020-25678", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.8}]}, "published": "2021-01-08T18:15:13.293", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1892109", "tags": ["Issue Tracking", "Patch"], "source": "secalert@redhat.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html", "source": "secalert@redhat.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/", "source": "secalert@redhat.com"}, {"url": "https://security.gentoo.org/glsa/202105-39", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://tracker.ceph.com/issues/37503", "tags": ["Patch", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en ceph en versiones anteriores a 16.yz, donde ceph almacena contrase\u00f1as del m\u00f3dulo mgr en texto sin cifrar. Esto puede ser encontrado al buscar en los registros mgr para grafana y dashboard, con contrase\u00f1as visibles"}], "lastModified": "2023-10-23T19:15:10.177", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ceph:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3669614D-F320-49C7-B633-6B5681148C84", "versionEndExcluding": "16.2.0"}, {"criteria": "cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D6E54096-5D45-4CB2-AC9A-DDB55BF2B94C"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}