CVE-2020-10750 - OpenCVE

Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linuxfoundation	Jaeger
Redhat	Jaeger

Configuration 1 [-]

cpe:2.3:a:linuxfoundation:jaeger:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Jaeger-1.17
distributed-tracing/jaeger-all-in-one-rhel7:1.17.3-2	cpe:/a:redhat:jaeger:1.17::el7	RHSA-2020:2636	2020-06-19T00:00:00Z
distributed-tracing/jaeger-collector-rhel7:1.17.3-2	cpe:/a:redhat:jaeger:1.17::el7	RHSA-2020:2636	2020-06-19T00:00:00Z
distributed-tracing/jaeger-ingester-rhel7:1.17.3-2	cpe:/a:redhat:jaeger:1.17::el7	RHSA-2020:2636	2020-06-19T00:00:00Z

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750
https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1
https://nvd.nist.gov/vuln/detail/CVE-2020-10750
https://www.cve.org/CVERecord?id=CVE-2020-10750

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2020-06-19T19:23:04

Updated: 2024-08-04T11:14:15.575Z

Reserved: 2020-03-20T00:00:00

Link: CVE-2020-10750

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-06-19T20:15:12.867

Modified: 2023-11-07T03:14:20.170

Link: CVE-2020-10750

Redhat

Severity : Moderate

Publid Date: 2020-06-19T10:30:00Z

Links: CVE-2020-10750 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "jaegertracing/jaeger", "vendor": "the Jager project", "versions": [{"status": "affected", "version": "1.18.1"}]}], "descriptions": [{"lang": "en", "value": "Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-19T19:23:04", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-10750", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "jaegertracing/jaeger", "version": {"version_data": [{"version_value": "1.18.1"}]}}]}, "vendor_name": "the Jager project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials."}]}, "impact": {"cvss": [[{"vectorString": "7.1/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-532"}]}, {"description": [{"lang": "eng", "value": "CWE-200"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750"}, {"name": "https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1", "refsource": "CONFIRM", "url": "https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:14:15.575Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-10750", "datePublished": "2020-06-19T19:23:04", "dateReserved": "2020-03-20T00:00:00", "dateUpdated": "2024-08-04T11:14:15.575Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:jaeger:*:*:*:*:*:*:*:*", "matchCriteriaId": "F22DAA95-1F23-42D1-ADB2-57768C81A4C2", "versionEndExcluding": "1.18.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials."}, {"lang": "es", "value": "Una informaci\u00f3n confidencial escrita en una vulnerabilidad de archivo de registro se encontr\u00f3 en jaegertracing/jaeger versiones anteriores a 1.18.1, cuando el almac\u00e9n de datos de Kafka es usado. Este fallo permite a un atacante con acceso al archivo de registro del contenedor detecte las credenciales de Kafka"}], "id": "CVE-2020-10750", "lastModified": "2023-11-07T03:14:20.170", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2020-06-19T20:15:12.867", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-532"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Carl Henrik Lunde (SpareBank 1) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:2636", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "package": "distributed-tracing/jaeger-all-in-one-rhel7:1.17.3-2", "product_name": "Jaeger-1.17", "release_date": "2020-06-19T00:00:00Z"}, {"advisory": "RHSA-2020:2636", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "package": "distributed-tracing/jaeger-collector-rhel7:1.17.3-2", "product_name": "Jaeger-1.17", "release_date": "2020-06-19T00:00:00Z"}, {"advisory": "RHSA-2020:2636", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "package": "distributed-tracing/jaeger-ingester-rhel7:1.17.3-2", "product_name": "Jaeger-1.17", "release_date": "2020-06-19T00:00:00Z"}], "bugzilla": {"description": "jaegertracing/jaeger: credentials leaked to container logs", "id": "1838401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838401"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-532->CWE-200", "details": ["Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials.", "An information disclosure vulnerability was found in jaegertracing/jaeger. When the Kafka data store is used, this flaw allows an attacker with access to the container's log file to discover the Kafka credentials."], "name": "CVE-2020-10750", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Will not fix", "package_name": "jaeger", "product_name": "OpenShift Service Mesh 1"}], "public_date": "2020-06-19T10:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-10750\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10750\nhttps://github.com/jaegertracing/jaeger/releases/tag/v1.18.1"], "statement": "While OpenShift ServiceMesh Jaeger does package the affected code (Kafka), the only supported data store is ElasticSearch. Additionally, in the documentation and notes, only ElasticSearch is supported, marking OpenShift ServiceMesh as affected but WONTFIX.", "threat_severity": "Moderate", "upstream_fix": "jaeger 1.18.1"}