Lucene search

K
nvd[email protected]NVD:CVE-2020-10753
HistoryJun 26, 2020 - 3:15 p.m.

CVE-2020-10753

2020-06-2615:15:11
CWE-74
CWE-113
web.nvd.nist.gov
12
red hat ceph storage
vulnerability
header injection
cors exposeheader
cors
ceph versions 3.x and 4.x

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.003

Percentile

68.9%

A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. Ceph versions 3.x and 4.x are vulnerable to this issue.

Affected configurations

Nvd
Node
redhatceph_storageMatch3.0
OR
redhatceph_storageMatch4.0
OR
redhatopenstackMatch15
Node
fedoraprojectfedoraMatch32
Node
opensuseleapMatch15.1
Node
linuxfoundationcephRange<14.2.21
Node
canonicalubuntu_linuxMatch16.04esm
OR
canonicalubuntu_linuxMatch18.04lts
VendorProductVersionCPE
redhatceph_storage3.0cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*
redhatceph_storage4.0cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*
redhatopenstack15cpe:2.3:a:redhat:openstack:15:*:*:*:*:*:*:*
fedoraprojectfedora32cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
opensuseleap15.1cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
linuxfoundationceph*cpe:2.3:a:linuxfoundation:ceph:*:*:*:*:*:*:*:*
canonicalubuntu_linux16.04cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
canonicalubuntu_linux18.04cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.003

Percentile

68.9%