Vulnerability Details : CVE-2020-25678
A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.
Products affected by CVE-2020-25678
- cpe:2.3:a:redhat:ceph:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-25678
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 15 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-25678
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
4.4
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
0.8
|
3.6
|
NIST |
CWE ids for CVE-2020-25678
-
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2020-25678
-
https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
[SECURITY] [DLA 3629-1] ceph security update
-
https://bugzilla.redhat.com/show_bug.cgi?id=1892109
1892109 – (CVE-2020-25678) CVE-2020-25678 ceph: mgr modules' passwords are in clear text in mgr logsIssue Tracking;Patch
-
https://security.gentoo.org/glsa/202105-39
Ceph: Multiple vulnerabilities (GLSA 202105-39) — Gentoo securityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/
[SECURITY] Fedora 33 Update: ceph-15.2.9-1.fc33 - package-announce - Fedora Mailing-Lists
-
https://tracker.ceph.com/issues/37503
Bug #37503: Audit log: mgr module passwords set on CLI written as plaintext in log files - Ceph - CephPatch;Vendor Advisory
Jump to