CVE-2020-25678
Published: 8 January 2021
A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.
From the Ubuntu Security Team
It was discovered that in some situations Ceph logged passwords from the mgr module in clear text. An attacker could use this to expose sensitive information.
Priority
Status
Package | Release | Status |
---|---|---|
ceph Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(12.2.13-0ubuntu0.18.04.8)
|
focal |
Released
(15.2.12-0ubuntu0.20.04.1)
|
|
groovy |
Released
(15.2.12-0ubuntu0.20.10.1)
|
|
hirsute |
Released
(16.1.0-0ubuntu2)
|
|
xenial |
Not vulnerable
|
|
impish |
Released
(16.1.0-0ubuntu2)
|
|
jammy |
Released
(16.1.0-0ubuntu2)
|
|
trusty |
Not vulnerable
|
|
upstream |
Released
(15.2.8,16.1.0)
|
|
Patches: upstream: https://github.com/ceph/ceph/commit/351960345a3ca28b037dd62ca74a40e9942c21ff (16.1) upstream: https://github.com/ceph/ceph/commit/79adcfe1c91d71a042ed33a77a29dea96f116e6e (15.2.8) |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 4.4 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | High |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |