Mageia 8: MGASA-2021-0126 Moderate: Ceph Authentication Risk
mageia
March 11, 2021
A flaw was found in Ceph where Ceph stores mgr module passwords in clear text
Summary
A flaw was found in Ceph where Ceph stores mgr module passwords in clear text.
This issue can be found by searching the mgr logs for Grafana and dashboard
with passwords visible. The highest threat from this vulnerability is to
confidentiality (CVE-2020-25678).
A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user
authentication is stored by the frontend application in the browser’s
localStorage which is potentially vulnerable to attackers via XSS attacks. The
highest threat from this vulnerability is to data confidentiality and
integrity (CVE-2020-27839).
References
- https://bugs.mageia.org/show_bug.cgi?id=28538
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/
- https://www.cve.org/CVERecord?id=CVE-2020-25678
- https://www.cve.org/CVERecord?id=CVE-2020-27839
Resolution
SRPMS
- 8/core/ceph-15.2.9-1.mga8
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Publication date: 12 Mar 2021
URL: https://advisories.mageia.org/MGASA-2021-0126.html
Type: security
CVE: CVE-2020-25678,
CVE-2020-27839
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!