CVE-2018-16889

Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
redhatCNA
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
VendorProductVersion
redhatceph
𝑥
≤ 13.2.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ceph
bullseye
14.2.21-1
fixed
stretch
postponed
jessie
not-affected
bookworm
16.2.11+ds-2
fixed
sid
18.2.4+ds-7
fixed
trixie
18.2.4+ds-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ceph
disco
Fixed 13.2.4+dfsg1-0ubuntu2.1
released
cosmic
Fixed 13.2.4+dfsg1-0ubuntu0.18.10.2
released
bionic
Fixed 12.2.11-0ubuntu0.18.04.1
released
xenial
Fixed 10.2.11-0ubuntu0.16.04.2
released
trusty
not-affected
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/106528
https://access.redhat.com/errata/RHSA-2019:2538
https://access.redhat.com/errata/RHSA-2019:2541
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16889
https://usn.ubuntu.com/4035-1/
http://www.securityfocus.com/bid/106528
https://access.redhat.com/errata/RHSA-2019:2538
https://access.redhat.com/errata/RHSA-2019:2541
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16889
https://usn.ubuntu.com/4035-1/