Vulnerability Details : CVE-2020-25678
A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.
Exploit prediction scoring system (EPSS) score for CVE-2020-25678
Probability of exploitation activity in the next 30 days: 0.05%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 15 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-25678
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST |
|
4.4
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
0.8
|
3.6
|
NIST |
CWE ids for CVE-2020-25678
-
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2020-25678
-
https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
[SECURITY] [DLA 3629-1] ceph security update
-
https://bugzilla.redhat.com/show_bug.cgi?id=1892109
1892109 – (CVE-2020-25678) CVE-2020-25678 ceph: mgr modules' passwords are in clear text in mgr logsIssue Tracking;Patch
-
https://security.gentoo.org/glsa/202105-39
Ceph: Multiple vulnerabilities (GLSA 202105-39) — Gentoo securityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/
[SECURITY] Fedora 33 Update: ceph-15.2.9-1.fc33 - package-announce - Fedora Mailing-Lists
-
https://tracker.ceph.com/issues/37503
Bug #37503: Audit log: mgr module passwords set on CLI written as plaintext in log files - Ceph - CephPatch;Vendor Advisory
Products affected by CVE-2020-25678
- cpe:2.3:a:redhat:ceph:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*