Miggo Logo

CVE-2020-10750: Information Exposure in jaeger

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.18939%
Published
5/18/2021
Updated
9/15/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/jaegertracing/jaegergo< 1.18.11.18.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from Jaeger logging the entire Kafka producer configuration struct, which included plaintext/Kerberos credentials. The commit 360c38b shows password fields were marked with json:"-" to prevent serialization, and tests were added to verify credentials don't appear in logs. The Red Hat bug analysis explicitly points to the logging in factory.go's Initialize method as the leak vector. The function's zap.Any() call serialized sensitive fields before the structs were properly annotated to exclude passwords.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*nsitiv* in*orm*tion writt*n to * lo* *il* vuln*r**ility w*s *oun* in j****rtr**in*/j****r ***or* v*rsion *.**.* w**n t** K**k* **t* stor* is us**. T*is *l*w *llows *n *tt**k*r wit* ****ss to t** *ont*in*r's lo* *il* to *is*ov*r t** K**k* *r***nti*l

Reasoning

T** vuln*r**ility st*mm** *rom J****r lo**in* t** *ntir* K**k* pro*u**r *on*i*ur*tion stru*t, w*i** in*lu*** pl*int*xt/K*r**ros *r***nti*ls. T** *ommit ******* s*ows p*sswor* *i*l*s w*r* m*rk** wit* `json:"-"` to pr*v*nt s*ri*liz*tion, *n* t*sts w*r*