{"api_version":"1","generated_at":"2026-04-23T04:10:09+00:00","cve":"CVE-2020-25678","urls":{"html":"https://cve.report/CVE-2020-25678","api":"https://cve.report/api/cve/CVE-2020-25678.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-25678","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-25678"},"summary":{"title":"CVE-2020-25678","description":"A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2021-01-08 18:15:00","updated_at":"2023-10-23 19:15:00"},"problem_types":["CWE-312"],"metrics":[],"references":[{"url":"https://tracker.ceph.com/issues/37503","name":"https://tracker.ceph.com/issues/37503","refsource":"MISC","tags":["Patch","Vendor Advisory"],"title":"Bug #37503: Audit log: mgr module passwords set on CLI written as plaintext in log files - Ceph - Ceph","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html","name":"https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html","refsource":"MISC","tags":[],"title":"[SECURITY] [DLA 3629-1] ceph security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://access.redhat.com/errata/RHSA-2021:1452","name":"https://access.redhat.com/errata/RHSA-2021:1452","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/security/cve/CVE-2020-25678","name":"https://access.redhat.com/security/cve/CVE-2020-25678","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1892109","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1892109","refsource":"MISC","tags":["Issue Tracking","Patch"],"title":"1892109 – (CVE-2020-25678) CVE-2020-25678 ceph: mgr modules' passwords are in clear text in mgr logs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202105-39","name":"GLSA-202105-39","refsource":"GENTOO","tags":[],"title":"Ceph: Multiple vulnerabilities (GLSA 202105-39) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 33 Update: ceph-15.2.9-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/","name":"FEDORA-2021-93ff9e9103","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: ceph-15.2.9-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-25678","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-25678","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"25678","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"25678","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ceph","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"25678","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ceph","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"25678","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ceph_storage","cpe6":"4.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"25678","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ceph_storage","cpe6":"4.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-25678","qid":"174881","title":"SUSE Enterprise Linux Security Update for ceph (SUSE-SU-2021:1108-1)"},{"cve":"CVE-2020-25678","qid":"174975","title":"SUSE Enterprise Linux Security Update for ceph (SUSE-SU-2021:1473-1)"},{"cve":"CVE-2020-25678","qid":"198423","title":"Ubuntu Security Notification for Ceph vulnerabilities (USN-4998-1)"},{"cve":"CVE-2020-25678","qid":"239270","title":"Red Hat Update for Red Hat Ceph Storage (RHSA-2021:1452)"},{"cve":"CVE-2020-25678","qid":"281589","title":"Fedora Security Update for ceph (FEDORA-2021-93ff9e9103)"},{"cve":"CVE-2020-25678","qid":"6000278","title":"Debian Security Update for ceph (DLA 3629-1)"},{"cve":"CVE-2020-25678","qid":"670358","title":"EulerOS Security Update for ceph (EulerOS-SA-2021-1866)"},{"cve":"CVE-2020-25678","qid":"670860","title":"EulerOS Security Update for ceph (EulerOS-SA-2021-1866)"},{"cve":"CVE-2020-25678","qid":"710075","title":"Gentoo Linux Ceph Multiple vulnerabilities (GLSA 202105-39)"},{"cve":"CVE-2020-25678","qid":"750271","title":"OpenSUSE Security Update for ceph (openSUSE-SU-2021:0544-1)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2020-25678","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-312","cweId":"CWE-312"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"ceph","version":{"version_data":[{"version_affected":"=","version_value":"ceph versions prior to 16.y.z"}]}}]}}]}},"references":{"reference_data":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1892109","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1892109"},{"url":"https://tracker.ceph.com/issues/37503","refsource":"MISC","name":"https://tracker.ceph.com/issues/37503"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OQTBKVXVYP7GPQNZ5VASOIJHMLK7727M/"},{"url":"https://security.gentoo.org/glsa/202105-39","refsource":"MISC","name":"https://security.gentoo.org/glsa/202105-39"},{"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html","refsource":"MISC","name":"https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html"}]}},"nvd":{"publishedDate":"2021-01-08 18:15:00","lastModifiedDate":"2023-10-23 19:15:00","problem_types":["CWE-312"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":0.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:P/I:N/A:N","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":2.1},"severity":"LOW","exploitabilityScore":3.9,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ceph:*:*:*:*:*:*:*:*","versionEndExcluding":"16.2.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"25678","Ordinal":"187095","Title":"CVE-2020-25678","CVE":"CVE-2020-25678","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"25678","Ordinal":"1","NoteData":"A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"25678","Ordinal":"2","NoteData":"2021-01-08","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"25678","Ordinal":"3","NoteData":"2021-05-26","Type":"Other","Title":"Modified"}]}}}