CVE-2020-25678
Advisory lineage Upstream: 0 Downstream: 11
Modified
Published: 08 Jan 2021, 17:59
Last modified:13 Feb 2025, 16:27
Vulnerability Summary
Overall Risk (default)
low
18/100 CVSS Score
4.4 MEDIUM
v3.1 (nvd)
EPSS Score
0.02% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
08 Jan 2021, 17:59
Published
Vulnerability first disclosed
13 Feb 2025, 16:27
Last Modified
Vulnerability information updated
Description
A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.
CVSS Metrics
- v3.1•MEDIUM•Score: 4.4CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
- v2.0•LOW•Score: 2.1AV:L/AC:L/Au:N/C:P/I:N/A:N
EPSS Trends
Current EPSS score: 0.02%• Percentile: 5%
Techniques & Countermeasures
- CWE-312•Cleartext Storage of Sensitive Information
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Affected Systems
- fedoraproject•fedora
33
- redhat•ceph
< 16.2.0
- redhat•ceph_storage
4.0
References (5)
- https://bugzilla.redhat.com/show_bug.cgi?id=1892109
- https://tracker.ceph.com/issues/37503
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/
- https://security.gentoo.org/glsa/202105-39
- https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html