CVE-2020-10762

Опубликовано: 30 сент. 2020

Источник: redhat

CVSS3: 5.5

Описание

An information-disclosure flaw was found in the way that gluster-block before 0.5.1 logs the output from gluster-block CLI operations. This includes recording passwords to the cmd_history.log file which is world-readable. This flaw allows local users to obtain sensitive information by reading the log file. The highest threat from this vulnerability is to data confidentiality.

An information-disclosure flaw was found in the way that gluster-block logs the output from gluster-block CLI operations. This includes recording passwords to the cmd_history.log file which is world-readable. This flaw allows local users to obtain sensitive information by reading the log file. The highest threat from this vulnerability is to data confidentiality.

Отчет

The version of gluster-block shipped with Red Hat Gluster Storage 3 sets the world-readable permissions on gluster-block directory and log files that store the sensitive information, hence affected by this vulnerability.

Меры по смягчению последствий

Manually change the log files permission to remove readable bits for others, e.g;

chmod 640 /var/log/glusterfs/gluster-block/cmd_history.log

NOTE: The above mitigation only restricts access to the other local users. To avoid storing passwords to the log file, kindly update gluster-block to the fixed version.

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-732->CWE-532

https://bugzilla.redhat.com/show_bug.cgi?id=1845067gluster-block: information disclosure through world-readable gluster-block log files

5.5 Medium

CVSS3

Связанные уязвимости

CVE-2020-10762

CVSS3: 5.5

nvd

около 5 лет назад

GHSA-3grh-xhcf-mgx4

github

больше 3 лет назад

5.5 Medium

CVSS3