Vulnerability Description
Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.
CVSS Score
5.5
MEDIUM
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Ceph | <= 13.2.4 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/106528Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:2538
- https://access.redhat.com/errata/RHSA-2019:2541
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16889ExploitIssue TrackingPatch
- https://usn.ubuntu.com/4035-1/
- http://www.securityfocus.com/bid/106528Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:2538
- https://access.redhat.com/errata/RHSA-2019:2541
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16889ExploitIssue TrackingPatch
- https://usn.ubuntu.com/4035-1/
FAQ
What is CVE-2018-16889?
CVE-2018-16889 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerabl...
How severe is CVE-2018-16889?
CVE-2018-16889 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-16889?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ceph.