Lucene search

K
cveRedhatCVE-2020-10753
HistoryJun 26, 2020 - 3:15 p.m.

CVE-2020-10753

2020-06-2615:15:11
CWE-113
CWE-74
redhat
web.nvd.nist.gov
220
8
cve-2020-10753
red hat
ceph
storage
radosgw
http headers
cors
exposeheader
vulnerability
nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

6.5

Confidence

High

EPSS

0.003

Percentile

68.9%

A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. Ceph versions 3.x and 4.x are vulnerable to this issue.

Affected configurations

Nvd
Vulners
Node
redhatceph_storageMatch3.0
OR
redhatceph_storageMatch4.0
OR
redhatopenstackMatch15
Node
fedoraprojectfedoraMatch32
Node
opensuseleapMatch15.1
Node
linuxfoundationcephRange<14.2.21
Node
canonicalubuntu_linuxMatch16.04esm
OR
canonicalubuntu_linuxMatch18.04lts
VendorProductVersionCPE
redhatceph_storage3.0cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*
redhatceph_storage4.0cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*
redhatopenstack15cpe:2.3:a:redhat:openstack:15:*:*:*:*:*:*:*
fedoraprojectfedora32cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
opensuseleap15.1cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
linuxfoundationceph*cpe:2.3:a:linuxfoundation:ceph:*:*:*:*:*:*:*:*
canonicalubuntu_linux16.04cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
canonicalubuntu_linux18.04cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat Ceph Storage",
    "versions": [
      {
        "version": "versions 3.x and 4.x",
        "status": "affected"
      }
    ]
  }
]

Social References

More

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

6.5

Confidence

High

EPSS

0.003

Percentile

68.9%