CVE-2018-16889

low-risk
Published 2019-01-28

Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Ceph

Affected Vendors

Redhat

References (10)

Third Party Advisory http://www.securityfocus.com/bid/106528
https://access.redhat.com/errata/RHSA-2019:2538
https://access.redhat.com/errata/RHSA-2019:2541
Exploit https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16889
https://usn.ubuntu.com/4035-1/
Third Party Advisory http://www.securityfocus.com/bid/106528
https://access.redhat.com/errata/RHSA-2019:2538
https://access.redhat.com/errata/RHSA-2019:2541
Exploit https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16889
https://usn.ubuntu.com/4035-1/
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal