CVE-2020-10763: Heketi logs sensitive information
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.33362%
CWE
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/heketi/heketi | go | < 10.1.0 | 10.1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit be15838 shows these functions were modified to add 'cmd.Options.Quiet = true' when handling authenticated volumes. This change explicitly prevents logging sensitive gluster-block
credentials. The vulnerability description specifically references exposed passwords in Heketi
logs, and these functions handle the gluster-block
operations where CHAP
authentication details would be processed. The patch confirms these were the vulnerable code paths.