CVE-2020-25677Cleartext Storage of Sensitive Info in Ceph-ansible

CWE-312Cleartext Storage of Sensitive Info5 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 94.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ceph Ceph-ansibleRedhat Ceph Storage
Timeline
PublishedDec 8
Latest updateMay 24

Description

A flaw was found in Ceph-ansible v4.0.41 where it creates an /etc/ceph/iscsi-gateway.conf with insecure default permissions. This flaw allows any user on the system to read sensitive information within this file. The highest threat from this vulnerability is to confidentiality.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5ceph/ceph-ansibleceph-ansible-4.0.41
NVDceph/ceph-ansible4.0.41
NVDredhat/ceph_storage3.0, 4.0+1

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

2
GHSA
GHSA-637g-65xr-xr73: Ceph-ansible 42022-05-24
CVEList
CVE-2020-25677: A flaw was found in Ceph-ansible v42020-12-08

📋Vendor Advisories

1
Red Hat
ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.conf configuration file2020-11-23

💬Community

1
Bugzilla
CVE-2020-25677 ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.conf configuration file2020-10-27
CVE-2020-25677 — Cleartext Storage of Sensitive Info | cvebase