CVE-2020-1716

Name of the Vulnerable Software and Affected Versions: ceph-ansible versions prior to 6.0.0alpha1

Description: A flaw was found in the ceph-ansible playbook where it contained hardcoded passwords that were being used as default passwords while deploying Ceph services. Any authenticated attacker can abuse this flaw to brute-force Ceph deployments, and gain administrator access to Ceph clusters via the Ceph dashboard to initiate read, write, and delete Ceph clusters and also modify Ceph cluster configurations.

Recommendations: For versions prior to 6.0.0alpha1, update to version 6.0.0alpha1 or later to resolve the issue. As a temporary workaround, consider changing the default passwords used by the ceph-ansible playbook to prevent brute-force attacks. Restrict access to the Ceph dashboard to minimize the risk of exploitation. Avoid using the hardcoded passwords in the ceph-ansible playbook until the issue is resolved.