{
  "threat_severity" : "Moderate",
  "public_date" : "2020-09-30T00:00:00Z",
  "bugzilla" : {
    "description" : "heketi: gluster-block volume password details available in logs",
    "id" : "1845387",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1845387"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-532",
  "details" : [ "An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords.", "An information-disclosure flaw was found in the way Heketi logs sensitive information. This flaw allows an attacker with local access to the Heketi server, to read potentially sensitive information, such as gluster-block passwords." ],
  "statement" : "The version of heketi shipped with Red Hat Gluster Storage 3 does not filter out gluster-block volume passwords, hence affected by this vulnerability.",
  "acknowledgement" : "This issue was discovered by Prasanna Kumar Kalever (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Native Client for RHEL 7 for Red Hat Storage",
    "release_date" : "2020-09-30T00:00:00Z",
    "advisory" : "RHSA-2020:4143",
    "cpe" : "cpe:/a:redhat:storage:3:client:el7",
    "package" : "heketi-0:9.0.0-9.5.el7rhgs"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.5 for RHEL 7",
    "release_date" : "2020-09-30T00:00:00Z",
    "advisory" : "RHSA-2020:4143",
    "cpe" : "cpe:/a:redhat:storage:3.5:server:el7",
    "package" : "gluster-block-0:0.2.1-36.2.el7rhgs"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.5 for RHEL 7",
    "release_date" : "2020-09-30T00:00:00Z",
    "advisory" : "RHSA-2020:4143",
    "cpe" : "cpe:/a:redhat:storage:3.5:server:el7",
    "package" : "heketi-0:9.0.0-9.5.el7rhgs"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.5 for RHEL 7",
    "release_date" : "2020-09-30T00:00:00Z",
    "advisory" : "RHSA-2020:4143",
    "cpe" : "cpe:/a:redhat:storage:3.5:server:el7",
    "package" : "tcmu-runner-0:1.2.0-32.2.el7rhgs"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.7",
    "release_date" : "2021-02-24T00:00:00Z",
    "advisory" : "RHSA-2020:5633",
    "cpe" : "cpe:/a:redhat:openshift:4.7::el8",
    "package" : "openshift4/ose-cluster-autoscaler:v4.7.0-202102130115.p0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Not affected",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-efs-provisioner-rhel7",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-hyperkube",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-10763\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10763\nhttps://github.com/heketi/heketi/releases/tag/v10.1.0" ],
  "name" : "CVE-2020-10763",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}