A path traversal flaw was found in the Ceph dashboard implemented in upstream versions v14.2.5, v14.2.6, v15.0.0 of Ceph storage and has been fixed in versions 14.2.7 and 15.1.0. An unauthenticated attacker could use this flaw to cause information disclosure on the host machine running the Ceph dashboard.
Conclusion & alert: CVE-2020-1699 is rated Moderate Risk (57.9/100): CVSS High severity, with medium exploitation likelihood (EPSS 2.09%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 1.88% | 2.09% | +0.21% |
| 2 | 2026-05-26 | 1.82% | 1.88% | +0.06% |
| 3 | 2025-11-21 | — | 1.82% | — |
Full EPSS history (12 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
high | CVE-2020-1699: 2 source package rows (ceph, ceph16); 4 state rows across 3 repos (3.17-community, 3.18-community, edge-community); fixed 4, open 0. | https://security.alpinelinux.org/vuln/CVE-2020-1699 |
debian
|
not yet assigned | CVE-2020-1699 not yet assigned priority: Debian including 1 source packages (ceph), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2020-1699 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2020-1699 |
suse
|
medium | CVE-2020-1699 severity moderate: SUSE including 168 source package names (1.1.1.0.1.5.110:ceph-14.2.5.382+g8881d33957-3.14.1, 1.1.1.0.1.5.110:ceph-base-14.2.5.382+g8881d33957-3.14.1, …), 338 product×package rows across 34 product lines (Container caasp/v4/hyperkube, Container ses/6/cephcsi/cephcsi, … (34 product lines)): Known Not Affected 184, Fixed 154. | https://www.suse.com/security/cve/CVE-2020-1699/ |
ubuntu
|
medium | CVE-2020-1699 medium priority: Ubuntu including 1 source packages (ceph), 6 status rows across 6 suites (bionic, disco, eoan, trusty, upstream, xenial): not-affected 4, ignored 1, released 1. | https://ubuntu.com/security/CVE-2020-1699 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| linuxfoundation | ceph | 14.2.5 | cpe:2.3:a:linuxfoundation:ceph:14.2.5:*:*:*:*:*:*:* |
| linuxfoundation | ceph | 14.2.6 | cpe:2.3:a:linuxfoundation:ceph:14.2.6:*:*:*:*:*:*:* |
| linuxfoundation | ceph | 15.0.0 | cpe:2.3:a:linuxfoundation:ceph:15.0.0:*:*:*:*:*:*:* |
| redhat | ceph_storage | 4.0 | cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1699 | Issue Tracking Vendor Advisory |