CVE-2020-10750: Information Exposure in jaeger
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.18939%
CWE
Published
5/18/2021
Updated
9/15/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/jaegertracing/jaeger | go | < 1.18.1 | 1.18.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from Jaeger logging the entire Kafka producer configuration struct, which included plaintext/Kerberos credentials. The commit 360c38b shows password fields were marked with json:"-"
to prevent serialization, and tests were added to verify credentials don't appear in logs. The Red Hat bug analysis explicitly points to the logging in factory.go's Initialize method as the leak vector. The function's zap.Any() call serialized sensitive fields before the structs were properly annotated to exclude passwords.