CVE-2020-25678

A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.

Published: Jan 8, 2021
Updated: Apr 14, 2023
CVE: CVE-2020-25678
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.4
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-312

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
redhat / ceph_storage	4.0	4.0.x
redhat / ceph	-	16.2.0
fedoraproject / fedora	33	33.x

https://bugzilla.redhat.com/show_bug.cgi?id=1892109
https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/
https://security.gentoo.org/glsa/202105-39
https://tracker.ceph.com/issues/37503

Vulnerability Database

289,599

CVE-2020-25678