Miggo Logo

CVE-2020-10763: Heketi logs sensitive information

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.33362%
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/heketi/heketigo< 10.1.010.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit be15838 shows these functions were modified to add 'cmd.Options.Quiet = true' when handling authenticated volumes. This change explicitly prevents logging sensitive gluster-block credentials. The vulnerability description specifically references exposed passwords in Heketi logs, and these functions handle the gluster-block operations where CHAP authentication details would be processed. The patch confirms these were the vulnerable code paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n in*orm*tion-*is*losur* *l*w w*s *oun* in t** w*y **k*ti ***or* **.*.* lo*s s*nsitiv* in*orm*tion. T*is *l*w *llows *n *tt**k*r wit* lo**l ****ss to t** **k*ti s*rv*r to r*** pot*nti*lly s*nsitiv* in*orm*tion su** *s *lust*r-*lo*k p*sswor*s.

Reasoning

T** *ommit ******* s*ows t**s* *un*tions w*r* mo*i*i** to *** '*m*.Options.Qui*t = tru*' w**n **n*lin* *ut**nti**t** volum*s. T*is ***n** *xpli*itly pr*v*nts lo**in* s*nsitiv* `*lust*r-*lo*k` *r***nti*ls. T** vuln*r**ility **s*ription sp**i*i**lly r*