CVE-2020-10763

An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1845387	Issue Tracking Third Party Advisory
https://github.com/heketi/heketi/releases/tag/v10.1.0	Release Notes Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:heketi_project:heketi:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:redhat:gluster_storage:3.0:::::::*
	cpe:2.3:a:redhat:gluster_storage:3.5:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*

History

No history.

Information

Published : 2020-11-24 17:15

Updated : 2020-12-02 19:16

NVD link : CVE-2020-10763

Mitre link : CVE-2020-10763

CVE.ORG link : CVE-2020-10763

JSON object : View

Products Affected

redhat

enterprise_linux
gluster_storage
openshift_container_platform

heketi_project

heketi

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2020-10763", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2020-11-24T17:15:10.817", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845387", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/heketi/heketi/releases/tag/v10.1.0", "tags": ["Release Notes", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en la divulgaci\u00f3n de informaci\u00f3n en la forma en que Heketi versiones anteriores a 10.1.0 registra informaci\u00f3n confidencial. Este fallo permite a un atacante con acceso local al servidor de Heketi leer informaci\u00f3n potencialmente confidencial, tal y como contrase\u00f1as de gluster-block"}], "lastModified": "2020-12-02T19:16:58.793", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:heketi_project:heketi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "95FD0B21-DD5C-4ABE-ABEB-64A6A892064E", "versionEndExcluding": "10.1.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:gluster_storage:3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1986832-44C9-491E-A75D-AAD8FAE683E6"}, {"criteria": "cpe:2.3:a:redhat:gluster_storage:3.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "135265D8-583D-41EB-B741-419FC871CE91"}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}