{"containers": {"cna": {"affected": [{"product": "heketi", "vendor": "n/a", "versions": [{"status": "affected", "version": "heketi 10.1.0"}]}], "descriptions": [{"lang": "en", "value": "An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-24T16:17:23", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845387"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/heketi/heketi/releases/tag/v10.1.0"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-10763", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "heketi", "version": {"version_data": [{"version_value": "heketi 10.1.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-532"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1845387", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845387"}, {"name": "https://github.com/heketi/heketi/releases/tag/v10.1.0", "refsource": "MISC", "url": "https://github.com/heketi/heketi/releases/tag/v10.1.0"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:14:15.593Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845387"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/heketi/heketi/releases/tag/v10.1.0"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-10763", "datePublished": "2020-11-24T16:17:23", "dateReserved": "2020-03-20T00:00:00", "dateUpdated": "2024-08-04T11:14:15.593Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:heketi_project:heketi:*:*:*:*:*:*:*:*", "matchCriteriaId": "95FD0B21-DD5C-4ABE-ABEB-64A6A892064E", "versionEndExcluding": "10.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:gluster_storage:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1986832-44C9-491E-A75D-AAD8FAE683E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:gluster_storage:3.5:*:*:*:*:*:*:*", "matchCriteriaId": "135265D8-583D-41EB-B741-419FC871CE91", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en la divulgaci\u00f3n de informaci\u00f3n en la forma en que Heketi versiones anteriores a 10.1.0 registra informaci\u00f3n confidencial. Este fallo permite a un atacante con acceso local al servidor de Heketi leer informaci\u00f3n potencialmente confidencial, tal y como contrase\u00f1as de gluster-block"}], "id": "CVE-2020-10763", "lastModified": "2020-12-02T19:16:58.793", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-24T17:15:10.817", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845387"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/heketi/heketi/releases/tag/v10.1.0"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Prasanna Kumar Kalever (Red Hat).", "affected_release": [{"advisory": "RHSA-2020:4143", "cpe": "cpe:/a:redhat:storage:3:client:el7", "package": "heketi-0:9.0.0-9.5.el7rhgs", "product_name": "Native Client for RHEL 7 for Red Hat Storage", "release_date": "2020-09-30T00:00:00Z"}, {"advisory": "RHSA-2020:4143", "cpe": "cpe:/a:redhat:storage:3.5:server:el7", "package": "gluster-block-0:0.2.1-36.2.el7rhgs", "product_name": "Red Hat Gluster Storage 3.5 for RHEL 7", "release_date": "2020-09-30T00:00:00Z"}, {"advisory": "RHSA-2020:4143", "cpe": "cpe:/a:redhat:storage:3.5:server:el7", "package": "heketi-0:9.0.0-9.5.el7rhgs", "product_name": "Red Hat Gluster Storage 3.5 for RHEL 7", "release_date": "2020-09-30T00:00:00Z"}, {"advisory": "RHSA-2020:4143", "cpe": "cpe:/a:redhat:storage:3.5:server:el7", "package": "tcmu-runner-0:1.2.0-32.2.el7rhgs", "product_name": "Red Hat Gluster Storage 3.5 for RHEL 7", "release_date": "2020-09-30T00:00:00Z"}, {"advisory": "RHSA-2020:5633", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-cluster-autoscaler:v4.7.0-202102130115.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-02-24T00:00:00Z"}], "bugzilla": {"description": "heketi: gluster-block volume password details available in logs", "id": "1845387", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845387"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-532", "details": ["An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords.", "An information-disclosure flaw was found in the way Heketi logs sensitive information. This flaw allows an attacker with local access to the Heketi server, to read potentially sensitive information, such as gluster-block passwords."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2020-10763", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-efs-provisioner-rhel7", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-hyperkube", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2020-09-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-10763\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10763\nhttps://github.com/heketi/heketi/releases/tag/v10.1.0"], "statement": "The version of heketi shipped with Red Hat Gluster Storage 3 does not filter out gluster-block volume passwords, hence affected by this vulnerability.", "threat_severity": "Moderate", "upstream_fix": "heketi 10.1.0"}