CVE-2020-25678

NameCVE-2020-25678
DescriptionA flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3629-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ceph (PTS)jessie, jessie (lts)0.80.7-2+deb8u6vulnerable
stretch (security)10.2.11-2+deb9u1vulnerable
stretch (lts), stretch10.2.11-2+deb9u2vulnerable
buster (security), buster, buster (lts)12.2.11+dfsg1-2.1+deb10u1fixed
bullseye14.2.21-1fixed
bookworm16.2.11+ds-2fixed
bookworm (security)16.2.15+ds-0+deb12u1fixed
sid, trixie18.2.4+ds-11fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cephsourcebuster12.2.11+dfsg1-2.1+deb10u1DLA-3629-1
cephsource(unstable)14.2.18-1

Notes

[stretch] - ceph <no-dsa> (Minor issue)
https://tracker.ceph.com/issues/37503
https://github.com/ceph/ceph/pull/38614 (v14.2.17)
[jessie] - ceph <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems