CVE-2020-10762
First published: Mon Jun 08 2020(Updated: )
An information-disclosure flaw was found in the way that gluster-block before 0.5.1 logs the output from gluster-block CLI operations. This includes recording passwords to the cmd_history.log file which is world-readable. This flaw allows local users to obtain sensitive information by reading the log file. The highest threat from this vulnerability is to data confidentiality.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/heketi | <0:9.0.0-9.5.el7 | 0:9.0.0-9.5.el7 |
| redhat/gluster-block | <0:0.2.1-36.2.el7 | 0:0.2.1-36.2.el7 |
| redhat/tcmu-runner | <0:1.2.0-32.2.el7 | 0:1.2.0-32.2.el7 |
| redhat/gluster-block | <0.5.1 | 0.5.1 |
| Red Hat Gluster Storage | <0.5.1 |
Remedy
Manually change the log files permission to remove readable bits for others, e.g; # chmod 640 /var/log/glusterfs/gluster-block/cmd_history.log NOTE: The above mitigation only restricts access to the other local users. To avoid storing passwords to the log file, kindly update gluster-block to the fixed version.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1845067
- https://github.com/gluster/gluster-block/releases/tag/v0.5.1
- https://github.com/gluster/gluster-block/pull/280
- https://access.redhat.com/errata/RHSA-2020:4143
- https://access.redhat.com/security/cve/cve-2020-10762
- https://www.cve.org/CVERecord?id=CVE-2020-10762 https://nvd.nist.gov/vuln/detail/CVE-2020-10762 https://github.com/gluster/gluster-block/releases/tag/v0.5.1
Frequently Asked Questions
What is the severity of CVE-2020-10762?
CVE-2020-10762 has a medium severity rating due to the information disclosure risk associated with logging sensitive data.
How do I fix CVE-2020-10762?
To fix CVE-2020-10762, upgrade gluster-block to version 0.5.1 or later.
What type of vulnerability is CVE-2020-10762?
CVE-2020-10762 is an information-disclosure vulnerability affecting gluster-block CLI operations.
Who is affected by CVE-2020-10762?
Local users on systems running vulnerable versions of gluster-block can be affected by CVE-2020-10762.
What information is exposed by CVE-2020-10762?
CVE-2020-10762 can expose sensitive information, including passwords, through the world-readable cmd_history.log file.
- collector/redhat-cve
- agent/weakness
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/severity
- agent/references
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-10762
- agent/software-canonical-lookup
- agent/event
- agent/trending
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/redhat
- canonical/red hat gluster storage