CVE-2020-1716 — Hard-coded Credentials in Ceph-ansible

CWE-798 — Hard-coded Credentials7 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.5%

top 32.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ceph Ceph-ansible

Timeline

PublishedMay 28

Latest updateMay 24

Description

A flaw was found in the ceph-ansible playbook where it contained hardcoded passwords that were being used as default passwords while deploying Ceph services. Any authenticated attacker can abuse this flaw to brute-force Ceph deployments, and gain administrator access to Ceph clusters via the Ceph dashboard to initiate read, write, and delete Ceph clusters and also modify Ceph cluster configurations. Versions before ceph-ansible 6.0.0alpha1 are affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDceph/ceph-ansible5.0.3

▶CVEListV5ceph/ceph-ansibleceph-ansible 6.0.0alpha1

🔴Vulnerability Details

GHSA

GHSA-v27v-7hmw-76p2: A flaw was found in the ceph-ansible playbook where it contained hardcoded passwords that were being used as default passwords while deploying Ceph se↗2022-05-24

▶

CVEList

CVE-2020-1716: A flaw was found in the ceph-ansible playbook where it contained hardcoded passwords that were being used as default passwords while deploying Ceph se↗2021-05-28

▶

📋Vendor Advisories

Red Hat

ceph-ansible: hard coded credential in ceph-ansible playbook↗2019-01-22

▶

💬Community

Bugzilla

CVE-2020-25664 ImageMagick: heap-based buffer overflow in PopShortPixel in MagickCore/quantum-private.h↗2020-10-26

▶

Bugzilla

CVE-2020-1716 ceph-ansible: hard coded credential in ceph-ansible playbook [fedora-30]↗2020-03-13

▶

Bugzilla

CVE-2020-1716 ceph-ansible: hard coded credential in ceph-ansible playbook↗2020-01-28

▶