CVE-2018-16889

Exploit

EPSS 0.07%
Published 28.01.2019 14:29:00
Last modified 21.11.2024 03:53:32
Source secalert@redhat.com
Teams watchlist Login
Open Login

Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.

Affected products Warnungen 0 Metrics 4 CWE 4 References 8

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Ceph Version <= 13.2.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.07%	0.185

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N
secalert@redhat.com	5.5	1.8	3.6	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-312 Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://access.redhat.com/errata/RHSA-2019:2538

https://access.redhat.com/errata/RHSA-2019:2541

https://usn.ubuntu.com/4035-1/

http://www.securityfocus.com/bid/106528

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16889