CVE-2020-25678

NameCVE-2020-25678
DescriptionA flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ceph (PTS)stretch (security), stretch10.2.11-2vulnerable
buster12.2.11+dfsg1-2.1vulnerable
bullseye14.2.16-2vulnerable
sid14.2.18-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cephsource(unstable)14.2.18-1

Notes

https://tracker.ceph.com/issues/37503
https://github.com/ceph/ceph/pull/38614 (v14.2.17)
Search for package or bug name: Reporting problems