CVE-2020-25678

Published: 08 January 2021

A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.

Priority

Low

CVSS 3 base score: 4.4

Status

Package Release Status
ceph
Launchpad, Ubuntu, Debian
Upstream
Released (15.2.8,16.1.0)
Ubuntu 21.04 (Hirsute Hippo)
Released (16.1.0-0ubuntu2)
Ubuntu 20.10 (Groovy Gorilla) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

Patches:
Upstream: https://github.com/ceph/ceph/commit/351960345a3ca28b037dd62ca74a40e9942c21ff (16.1)
Upstream: https://github.com/ceph/ceph/commit/79adcfe1c91d71a042ed33a77a29dea96f116e6e (15.2.8)