CVE-2020-27781

EPSS 0.04%
Veröffentlicht 18.12.2020 21:15:12
Zuletzt bearbeitet 21.11.2024 05:21:49
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even "admin" users, compromising the ceph administrator. This flaw affects Ceph versions prior to 14.2.16, 15.x prior to 15.2.8, and 16.x prior to 16.2.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Ceph Version < 14.2.16

Redhat ≫ Ceph Version >= 15.0.0 < 15.2.8

Redhat ≫ Ceph Version >= 16.0.0 < 16.2.0

Redhat ≫ Ceph Storage Version2.0

Redhat ≫ Ceph Storage Version3.0

Redhat ≫ Ceph Storage Version4.0

Redhat ≫ Openshift Container Platform Version4.0

Redhat ≫ Openstack Platform Version13.0

Fedoraproject ≫ Fedora Version33

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.121

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.1	1.8	5.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	3.6	3.9	4.9	AV:L/AC:L/Au:N/C:P/I:P/A:N

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html

https://security.gentoo.org/glsa/202105-39

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1900109

Vendor Advisory

Issue Tracking

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZJ7FFROL25FYRL6FMI33VRKOD74LINRP/

https://nvd.nist.gov/vuln/detail/CVE-2020-27781

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-27781

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-27781

EUVD