{
  "threat_severity" : "Moderate",
  "public_date" : "2020-09-30T00:00:00Z",
  "bugzilla" : {
    "description" : "gluster-block: information disclosure through world-readable gluster-block log files",
    "id" : "1845067",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1845067"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-732->CWE-532",
  "details" : [ "An information-disclosure flaw was found in the way that gluster-block before 0.5.1 logs the output from gluster-block CLI operations. This includes recording passwords to the cmd_history.log file which is world-readable. This flaw allows local users to obtain sensitive information by reading the log file. The highest threat from this vulnerability is to data confidentiality.", "An information-disclosure flaw was found in the way that gluster-block logs the output from gluster-block CLI operations. This includes recording passwords to the cmd_history.log file which is world-readable. This flaw allows local users to obtain sensitive information by reading the log file. The highest threat from this vulnerability is to data confidentiality." ],
  "statement" : "The version of gluster-block shipped with Red Hat Gluster Storage 3 sets the world-readable permissions on gluster-block directory and log files that store the sensitive information, hence affected by this vulnerability.",
  "acknowledgement" : "This issue was discovered by Prasanna Kumar Kalever (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Native Client for RHEL 7 for Red Hat Storage",
    "release_date" : "2020-09-30T00:00:00Z",
    "advisory" : "RHSA-2020:4143",
    "cpe" : "cpe:/a:redhat:storage:3:client:el7",
    "package" : "heketi-0:9.0.0-9.5.el7rhgs"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.5 for RHEL 7",
    "release_date" : "2020-09-30T00:00:00Z",
    "advisory" : "RHSA-2020:4143",
    "cpe" : "cpe:/a:redhat:storage:3.5:server:el7",
    "package" : "gluster-block-0:0.2.1-36.2.el7rhgs"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.5 for RHEL 7",
    "release_date" : "2020-09-30T00:00:00Z",
    "advisory" : "RHSA-2020:4143",
    "cpe" : "cpe:/a:redhat:storage:3.5:server:el7",
    "package" : "heketi-0:9.0.0-9.5.el7rhgs"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.5 for RHEL 7",
    "release_date" : "2020-09-30T00:00:00Z",
    "advisory" : "RHSA-2020:4143",
    "cpe" : "cpe:/a:redhat:storage:3.5:server:el7",
    "package" : "tcmu-runner-0:1.2.0-32.2.el7rhgs"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-10762\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10762\nhttps://github.com/gluster/gluster-block/releases/tag/v0.5.1" ],
  "name" : "CVE-2020-10762",
  "mitigation" : {
    "value" : "Manually change the log files permission to remove readable bits for others, e.g;\n# chmod 640 /var/log/glusterfs/gluster-block/cmd_history.log\nNOTE: The above mitigation only restricts access to the other local users. To avoid storing passwords to the log file, kindly update  gluster-block to the fixed version.",
    "lang" : "en:us"
  },
  "csaw" : false
}