CVE-2018-16889
MEDIUMCeph < 13.2.4 - Sensitive Information Disclosure in Debug Logging
Title source: llmDescription
Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.
References (5)
Core 5
Core References
Third Party Advisory vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106528
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16889
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4035-1/
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2538
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2541
Scores
CVSS v3
5.5
EPSS
0.0054
EPSS Percentile
40.9%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-20
CWE-200
CWE-312
CWE-532
Status
published
Products (1)
redhat/ceph
< 13.2.4
Published
Jan 28, 2019
Tracked Since
Feb 18, 2026