Path traversal in Ceph - CVE-2020-1699
Published: April 21, 2020 / Updated: July 28, 2020
Vulnerability identifier: #VU31992
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-1699
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Red Hat Inc.
Affected software:
Ceph
Ceph
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
A path traversal flaw was found in the Ceph dashboard implemented in upstream versions v14.2.5, v14.2.6, v15.0.0 of Ceph storage and has been fixed in versions 14.2.7 and 15.1.0. An unauthenticated attacker could use this flaw to cause information disclosure on the host machine running the Ceph dashboard.
How to mitigate CVE-2020-1699
Install update from vendor's website.