CVE-2020-10763 - OpenCVE

An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Gluster Storage Openshift Container Platform Enterprise Linux
Heketi Project	Heketi

Configuration 1 [-]

cpe:2.3:a:heketi_project:heketi:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:redhat:gluster_storage:3.0:::::::*
	cpe:2.3:a:redhat:gluster_storage:3.5:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1845387	Issue Tracking Third Party Advisory
https://github.com/heketi/heketi/releases/tag/v10.1.0	Release Notes Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2020-11-24T16:17:23

Updated: 2020-11-24T16:17:23

Reserved: 2020-03-20T00:00:00

Link: CVE-2020-10763

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-24T17:15:10.817

Modified: 2020-12-02T19:16:58.793

Link: CVE-2020-10763

JSON object: View

Redhat Information

No data.

CWE

CWE-532

{"containers": {"cna": {"affected": [{"product": "heketi", "vendor": "n/a", "versions": [{"status": "affected", "version": "heketi 10.1.0"}]}], "descriptions": [{"lang": "en", "value": "An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-24T16:17:23", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845387"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/heketi/heketi/releases/tag/v10.1.0"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-10763", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "heketi", "version": {"version_data": [{"version_value": "heketi 10.1.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-532"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1845387", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845387"}, {"name": "https://github.com/heketi/heketi/releases/tag/v10.1.0", "refsource": "MISC", "url": "https://github.com/heketi/heketi/releases/tag/v10.1.0"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-10763", "datePublished": "2020-11-24T16:17:23", "dateReserved": "2020-03-20T00:00:00", "dateUpdated": "2020-11-24T16:17:23", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:heketi_project:heketi:*:*:*:*:*:*:*:*", "matchCriteriaId": "95FD0B21-DD5C-4ABE-ABEB-64A6A892064E", "versionEndExcluding": "10.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:gluster_storage:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1986832-44C9-491E-A75D-AAD8FAE683E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:gluster_storage:3.5:*:*:*:*:*:*:*", "matchCriteriaId": "135265D8-583D-41EB-B741-419FC871CE91", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en la divulgaci\u00f3n de informaci\u00f3n en la forma en que Heketi versiones anteriores a 10.1.0 registra informaci\u00f3n confidencial. Este fallo permite a un atacante con acceso local al servidor de Heketi leer informaci\u00f3n potencialmente confidencial, tal y como contrase\u00f1as de gluster-block"}], "id": "CVE-2020-10763", "lastModified": "2020-12-02T19:16:58.793", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-24T17:15:10.817", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845387"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/heketi/heketi/releases/tag/v10.1.0"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "secalert@redhat.com", "type": "Secondary"}]}