{"containers": {"cna": {"affected": [{"product": "jaegertracing/jaeger", "vendor": "the Jager project", "versions": [{"status": "affected", "version": "1.18.1"}]}], "descriptions": [{"lang": "en", "value": "Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-19T19:23:04", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-10750", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "jaegertracing/jaeger", "version": {"version_data": [{"version_value": "1.18.1"}]}}]}, "vendor_name": "the Jager project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials."}]}, "impact": {"cvss": [[{"vectorString": "7.1/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-532"}]}, {"description": [{"lang": "eng", "value": "CWE-200"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750"}, {"name": "https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1", "refsource": "CONFIRM", "url": "https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:14:15.575Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-10750", "datePublished": "2020-06-19T19:23:04", "dateReserved": "2020-03-20T00:00:00", "dateUpdated": "2024-08-04T11:14:15.575Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:jaeger:*:*:*:*:*:*:*:*", "matchCriteriaId": "F22DAA95-1F23-42D1-ADB2-57768C81A4C2", "versionEndExcluding": "1.18.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials."}, {"lang": "es", "value": "Una informaci\u00f3n confidencial escrita en una vulnerabilidad de archivo de registro se encontr\u00f3 en jaegertracing/jaeger versiones anteriores a 1.18.1, cuando el almac\u00e9n de datos de Kafka es usado. Este fallo permite a un atacante con acceso al archivo de registro del contenedor detecte las credenciales de Kafka"}], "id": "CVE-2020-10750", "lastModified": "2024-11-21T04:55:59.463", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-19T20:15:12.867", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10750"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-532"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Carl Henrik Lunde (SpareBank 1) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:2636", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "package": "distributed-tracing/jaeger-all-in-one-rhel7:1.17.3-2", "product_name": "Jaeger-1.17", "release_date": "2020-06-19T00:00:00Z"}, {"advisory": "RHSA-2020:2636", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "package": "distributed-tracing/jaeger-collector-rhel7:1.17.3-2", "product_name": "Jaeger-1.17", "release_date": "2020-06-19T00:00:00Z"}, {"advisory": "RHSA-2020:2636", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "package": "distributed-tracing/jaeger-ingester-rhel7:1.17.3-2", "product_name": "Jaeger-1.17", "release_date": "2020-06-19T00:00:00Z"}], "bugzilla": {"description": "jaegertracing/jaeger: credentials leaked to container logs", "id": "1838401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838401"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-532->CWE-200", "details": ["Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials.", "An information disclosure vulnerability was found in jaegertracing/jaeger. When the Kafka data store is used, this flaw allows an attacker with access to the container's log file to discover the Kafka credentials."], "name": "CVE-2020-10750", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Will not fix", "package_name": "jaeger", "product_name": "OpenShift Service Mesh 1"}], "public_date": "2020-06-19T10:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-10750\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10750\nhttps://github.com/jaegertracing/jaeger/releases/tag/v1.18.1"], "statement": "While OpenShift ServiceMesh Jaeger does package the affected code (Kafka), the only supported data store is ElasticSearch. Additionally, in the documentation and notes, only ElasticSearch is supported, marking OpenShift ServiceMesh as affected but WONTFIX.", "threat_severity": "Moderate", "upstream_fix": "jaeger 1.18.1"}