Bug 1792337 (CVE-2020-1699) - CVE-2020-1699 ceph: improper URL checking leads to information disclosure
Summary: CVE-2020-1699 ceph: improper URL checking leads to information disclosure
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-1699
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1792338 1795482
Blocks: 1791584
TreeView+ depends on / blocked
 
Reported: 2020-01-17 14:26 UTC by Dhananjay Arunesh
Modified: 2020-07-14 11:05 UTC (History)
29 users (show)

Fixed In Version: ceph 14.2.7, ceph 15.1.0
Doc Type: If docs needed, set a value
Doc Text:
A path traversal flaw was found in the Ceph dashboard implemented in Ceph storage. An unauthenticated attacker could use this flaw to cause information disclosure on the host machine running the Ceph dashboard.
Clone Of:
Environment:
Last Closed: 2020-01-22 20:09:34 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-01-17 14:26:45 UTC
A vulnerability was found in Ceph, where an improper URL checking may reveal passwords and other sensitive information.

Reference:
https://tracker.ceph.com/issues/41320
https://github.com/ceph/ceph/commit/0443e40c11280ba3b7efcba61522afa70c4f8158

Comment 1 Dhananjay Arunesh 2020-01-17 14:27:04 UTC
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1792338]

Comment 4 Product Security DevOps Team 2020-01-22 20:09:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1699

Comment 8 Hardik Vyas 2020-03-20 11:59:09 UTC
Statement:

This vulnerability affects following Ceph versions of upstream - v14.2.5, v14.2.6, v15.0.0 and it has been fixed in v14.2.7 and v15.1.0. Red Hat Ceph Storage never shipped the affected versions of Ceph hence not affected.


Note You need to log in before you can comment on or make changes to this bug.