PublicDateAtUSN: 2021-01-08 18:15:00 UTC
Candidate: CVE-2020-25678
PublicDate: 2021-01-08 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25678
 https://access.redhat.com/security/cve/CVE-2020-25678
 https://github.com/ceph/ceph/pull/38479 (16.1)
 https://github.com/ceph/ceph/pull/38620 (bp)
 https://ubuntu.com/security/notices/USN-4998-1
Description:
 A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr
 module passwords in clear text. This can be found by searching the mgr logs
 for grafana and dashboard, with passwords visible.
Ubuntu-Description:
 It was discovered that in some situations Ceph logged passwords from
 the mgr module in clear text. An attacker could use this to expose
 sensitive information.
Notes:
Mitigation:
Bugs:
 https://tracker.ceph.com/issues/37503
 https://tracker.ceph.com/issues/48615
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N [4.4 MEDIUM]


Patches_ceph:
 upstream: https://github.com/ceph/ceph/commit/351960345a3ca28b037dd62ca74a40e9942c21ff (16.1)
 upstream: https://github.com/ceph/ceph/commit/79adcfe1c91d71a042ed33a77a29dea96f116e6e (15.2.8)
upstream_ceph: released (15.2.8,16.1.0)
precise/esm_ceph: ignored (end of ESM support, was needs-triage)
trusty_ceph: ignored (out of standard support)
trusty/esm_ceph: not-affected
xenial_ceph: ignored (end of standard support, was needed)
esm-infra/xenial_ceph: not-affected
bionic_ceph: not-affected (12.2.13-0ubuntu0.18.04.8)
focal_ceph: released (15.2.12-0ubuntu0.20.04.1)
groovy_ceph: released (15.2.12-0ubuntu0.20.10.1)
hirsute_ceph: released (16.1.0-0ubuntu2)
impish_ceph: released (16.1.0-0ubuntu2)
jammy_ceph: released (16.1.0-0ubuntu2)
devel_ceph: released (16.1.0-0ubuntu2)