CVE-2020-25678

EUVD-2020-18340
A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.4 MEDIUM
LOCAL
LOW
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
redhatceph
𝑥
< 16.2.0
redhatceph_storage
4.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ceph
bookworm
16.2.11+ds-2
fixed
bullseye
14.2.21-1
fixed
sid
18.2.4+ds-7
fixed
stretch
no-dsa
trixie
18.2.4+ds-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ceph
bionic
not-affected
focal
Fixed 15.2.12-0ubuntu0.20.04.1
released
groovy
Fixed 15.2.12-0ubuntu0.20.10.1
released
hirsute
Fixed 16.1.0-0ubuntu2
released
impish
Fixed 16.1.0-0ubuntu2
released
jammy
Fixed 16.1.0-0ubuntu2
released
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1892109
https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/
https://security.gentoo.org/glsa/202105-39
https://tracker.ceph.com/issues/37503
https://bugzilla.redhat.com/show_bug.cgi?id=1892109
https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/
https://security.gentoo.org/glsa/202105-39
https://tracker.ceph.com/issues/37503