Candidate: CVE-2020-1699
PublicDate: 2020-04-21 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1699
Description:
 A path traversal flaw was found in the Ceph dashboard implemented in
 upstream versions v14.2.5, v14.2.6, v15.0.0 of Ceph storage and has been
 fixed in versions 14.2.7 and 15.1.0. An unauthenticated attacker could use
 this flaw to cause information disclosure on the host machine running the
 Ceph dashboard.
Ubuntu-Description:
Notes:
 mdeslaur> introduced in 14.2.5
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949206
 https://tracker.ceph.com/issues/43607
 https://tracker.ceph.com/issues/41320
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_ceph:
 upstream: https://github.com/ceph/ceph/commit/0443e40c11280ba3b7efcba61522afa70c4f8158
upstream_ceph: released (14.2.6-4)
precise/esm_ceph: not-affected (code not present)
trusty_ceph: ignored (out of standard support)
trusty/esm_ceph: not-affected (code not present)
xenial_ceph: not-affected (code not present)
esm-infra/xenial_ceph: not-affected (code not present)
bionic_ceph: not-affected (code not present)
disco_ceph: ignored (reached end-of-life)
eoan_ceph: not-affected (code not present)
devel_ceph: not-affected (code not present)