Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2020-10762 gluster-block: information disclosure through world-readable gluster-block log files
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Hardik Vyas <hvyas () redhat com>
Date: Wed, 30 Sep 2020 20:39:23 +0530
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello,
An information-disclosure flaw was found in the way that gluster-block
logs the output from gluster-block CLI operations. This includes recording
passwords to the cmd_history.log file which is world-readable. This flaw
allows local users to obtain sensitive information by reading the log file.
The highest threat from this vulnerability is to data confidentiality.
CVE-2020-10762 has been assigned for this flaw.
Upstream PR: https://github.com/gluster/gluster-block/pull/280
Release: https://github.com/gluster/gluster-block/releases/tag/v0.5.1
Credit: Prasanna Kumar Kalever (Red Hat)
Thanks,
--
Hardik Vyas / Red Hat Product Security
BD48 C633 DE34 733A BBC3 3B72 8A14 AEBB D68B 9381
secalert () redhat com for urgent response
<https://www.redhat.com>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2020-10762 gluster-block: information disclosure through world-readable gluster-block log files Hardik Vyas (Sep 30)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->