CVE-2020-25678

NameCVE-2020-25678
DescriptionA flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ceph (PTS)stretch10.2.11-2vulnerable
stretch (security)10.2.11-2+deb9u1vulnerable
buster12.2.11+dfsg1-2.1vulnerable
bullseye14.2.21-1fixed
bookworm, sid16.2.7+ds-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cephsource(unstable)14.2.18-1

Notes

[buster] - ceph <no-dsa> (Minor issue)
[stretch] - ceph <no-dsa> (Minor issue)
https://tracker.ceph.com/issues/37503
https://github.com/ceph/ceph/pull/38614 (v14.2.17)
Search for package or bug name: Reporting problems