Description
Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.
References (5)
Core 5
Core References
Third Party Advisory vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106528
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16889
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4035-1/
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2538
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2541
Scores
CVSS v3
5.5
EPSS
0.0007
EPSS Percentile
20.7%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-532
CWE-20
CWE-312
CWE-200
Status
published
Products (1)
redhat/ceph
< 13.2.4
Published
Jan 28, 2019
Tracked Since
Feb 18, 2026