{"containers": {"cna": {"affected": [{"product": "ceph", "vendor": "n/a", "versions": [{"status": "affected", "version": "ceph versions prior to 16.y.z"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-312", "description": "CWE-312", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2023-10-23T18:06:33.797Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1892109"}, {"tags": ["x_refsource_MISC"], "url": "https://tracker.ceph.com/issues/37503"}, {"name": "FEDORA-2021-93ff9e9103", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/"}, {"name": "GLSA-202105-39", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202105-39"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:40:36.768Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1892109"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://tracker.ceph.com/issues/37503"}, {"name": "FEDORA-2021-93ff9e9103", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/"}, {"name": "GLSA-202105-39", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202105-39"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html", "tags": ["x_transferred"]}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-25678", "datePublished": "2021-01-08T17:59:34.000Z", "dateReserved": "2020-09-16T00:00:00.000Z", "dateUpdated": "2025-02-13T16:27:41.662Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ceph:*:*:*:*:*:*:*:*", "matchCriteriaId": "3669614D-F320-49C7-B633-6B5681148C84", "versionEndExcluding": "16.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "D6E54096-5D45-4CB2-AC9A-DDB55BF2B94C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en ceph en versiones anteriores a 16.yz, donde ceph almacena contrase\u00f1as del m\u00f3dulo mgr en texto sin cifrar. Esto puede ser encontrado al buscar en los registros mgr para grafana y dashboard, con contrase\u00f1as visibles"}], "id": "CVE-2020-25678", "lastModified": "2024-11-21T05:18:26.617", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-08T18:15:13.293", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1892109"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202105-39"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://tracker.ceph.com/issues/37503"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1892109"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202105-39"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://tracker.ceph.com/issues/37503"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:1452", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "ceph-2:14.2.11-147.el7cp", "product_name": "Red Hat Ceph Storage 4.2", "release_date": "2021-04-28T00:00:00Z"}, {"advisory": "RHSA-2021:1452", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "ceph-ansible-0:4.0.49.2-1.el7cp", "product_name": "Red Hat Ceph Storage 4.2", "release_date": "2021-04-28T00:00:00Z"}, {"advisory": "RHSA-2021:1452", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "gperftools-0:2.6.3-3.el8cp", "product_name": "Red Hat Ceph Storage 4.2", "release_date": "2021-04-28T00:00:00Z"}, {"advisory": "RHSA-2021:1452", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "tcmu-runner-0:1.5.2-3.el8cp", "product_name": "Red Hat Ceph Storage 4.2", "release_date": "2021-04-28T00:00:00Z"}], "bugzilla": {"description": "ceph: mgr modules' passwords are in clear text in mgr logs", "id": "1892109", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1892109"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-312", "details": ["A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.", "A flaw was found in Ceph where Ceph stores mgr module passwords in clear text. This issue can be found by searching the mgr logs for Grafana and dashboard, with passwords visible. The highest threat from this vulnerability is to confidentiality."], "name": "CVE-2020-25678", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Out of support scope", "package_name": "ceph", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "ceph", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2020-11-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-25678\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-25678\nhttps://tracker.ceph.com/issues/37503"], "statement": "* Red Hat Ceph Storage 4 is affected by this flaw, with the passwords visible under sudo. Red Hat Ceph Storage 3 is not affected by this flaw, and does not log passwords by default. \n* Red Hat OpenShift Container Storage (RHOCS) 4 shipped Ceph package for the usage of RHOCS 4.2 only, that has reached End Of Life. Hence, the Ceph package is no longer used and supported with the release of RHOCS 4.3.\n* Red Hat OpenStack Platform deployments use the Ceph package directly from the Ceph channel; the RHOSP package will not be updated at this time.", "threat_severity": "Moderate"}