CVE-2020-25678
Published: 08 January 2021
A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.
Priority
Low
CVSS 3 base score: 4.4
Status
| Package | Release | Status |
|---|---|---|
|
ceph Launchpad, Ubuntu, Debian |
Upstream |
Released
(15.2.8,16.1.0)
|
| Ubuntu 21.04 (Hirsute Hippo) |
Released
(16.1.0-0ubuntu2)
|
|
| Ubuntu 20.10 (Groovy Gorilla) |
Needed
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Needed
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Needed
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Needs triage
|
|
|
Patches: Upstream: https://github.com/ceph/ceph/commit/351960345a3ca28b037dd62ca74a40e9942c21ff (16.1) Upstream: https://github.com/ceph/ceph/commit/79adcfe1c91d71a042ed33a77a29dea96f116e6e (15.2.8) |
||
Notes
| Author | Note |
|---|---|
| mdeslaur | this is fixed in 15.2.8 in focal-updates and groovy-updates but has not been pushed to the security pocket |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25678
- https://access.redhat.com/security/cve/CVE-2020-25678
- https://github.com/ceph/ceph/pull/38479 (16.1)
- https://github.com/ceph/ceph/pull/38620 (bp)
- NVD
- Launchpad
- Debian