CVE-2020-25678

A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.4 MEDIUM
LOCAL
LOW
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
VendorProductVersion
redhatceph
𝑥
< 16.2.0
redhatceph_storage
4.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ceph
bullseye
14.2.21-1
fixed
stretch
no-dsa
bookworm
16.2.11+ds-2
fixed
sid
18.2.4+ds-7
fixed
trixie
18.2.4+ds-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ceph
jammy
Fixed 16.1.0-0ubuntu2
released
impish
Fixed 16.1.0-0ubuntu2
released
hirsute
Fixed 16.1.0-0ubuntu2
released
groovy
Fixed 15.2.12-0ubuntu0.20.10.1
released
focal
Fixed 15.2.12-0ubuntu0.20.04.1
released
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1892109
https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/
https://security.gentoo.org/glsa/202105-39
https://tracker.ceph.com/issues/37503
https://bugzilla.redhat.com/show_bug.cgi?id=1892109
https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/
https://security.gentoo.org/glsa/202105-39
https://tracker.ceph.com/issues/37503