Security Bulletin: IBM Storage Ceph is vulnerable to Improper Validation of Specified Index, Position, or Offset in Input in zipfile (CVE-2025-8291)

Summary zipfile is used by IBM Storage Ceph. CVE-2025-8291 This bulletin identifies the steps to take to address the vulnerability in Ceph. Vulnerability Details CVEID:CVE-2025-8291 DESCRIPTION: The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory EOCD Locator...

Security Bulletin: IBM Storage Ceph is vulnerable to an Origin Validation Error in Grafana (CVE-2024-57965)

Summary Axios is a dependency of Grafana, and Grafana is used by IBM Storage Ceph as a metrics dashboard. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2024-57965 Vulnerability Details CVEID:CVE-2024-57965 DESCRIPTION: In axios before 1.7.8,...

Security Bulletin: IBM Storage Ceph is vulnerable to HTTP Request/Response Smuggling in Grafana (CVE-2025-22871)

Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. This bulletin identifies the steps to take to address the vulnerability in Golang via Grafana. CVE-2025-22871 Vulnerability Details CVEID:CVE-2025-22871 DESCRIPTION: The net/http package improperly accepts a bare LF as a line...

Security Bulletin: IBM Storage Ceph is vulnerable to Exposure of Sensitive Information Through Data Queries in Golang Go (CVE-2023-45288)

Summary Golang Go is used by IBM Storage Ceph as part of RGW and in assorted other locations. CVE-2023-45288 Vulnerability Details CVEID:CVE-2023-45288 DESCRIPTION: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION...

Security Bulletin: IBM Storage Ceph is vulnerable to Cross-site Scripting in npm-serialize-javascript (CVE-2024-11831)

Summary npm-serialize-javascript is used by IBM Storage Ceph in assorted components. CVE-2024-11831 Vulnerability Details CVEID:CVE-2024-11831 DESCRIPTION: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize...

Security Bulletin: IBM Storage Ceph is vulnerable to Insufficient Verification of Data Authenticity in RGW (CVE-2024-48916)

Summary Ceph Rados Gateway RadosGW OIDC provider is used by IBM Storage Ceph in RGW. CVE-2024-48916 This bulletin identifies the steps to take to address the vulnerability in Ceph. Vulnerability Details CVEID:CVE-2024-48916 DESCRIPTION: Ceph is a distributed object, block, and file storage...

Security Bulletin: IBM Storage Ceph is vulnerable to Time-of-check Time-of-use in python-waitress (CVE-2024-49768)

Summary python-waitress is used by IBM Storage Ceph. CVE-2024-49768 Vulnerability Details CVEID:CVE-2024-49768 DESCRIPTION: Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recvbytes defaults to 8192 long, followed by a...

Security Bulletin: IBM Storage Ceph is vulnerable to the Exposure of Sensitive Information to an Unauthorized Actor in Grafana (CVE-2025-22866)

Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2025-22866 Vulnerability Details CVEID:CVE-2025-22866 DESCRIPTION: Due to the usage of a variable time instruction in the assembly...

Security Bulletin: IBM Storage Ceph is vulnerable to Improper Validation of Syntactic Correctness of Input in Golang (CVE-2025-22868)

Summary Golang is used by IBM Storage Ceph in Grafana. CVE-2025-22868 Vulnerability Details CVEID:CVE-2025-22868 DESCRIPTION: An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. CWE:CWE-1286: Improper Validation of Syntactic Correctness o...

Security Bulletin: IBM Storage Ceph is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in Golang (CVE-2024-45336)

Summary Golang is used by IBM Storage Ceph as part of RGW and in assorted other locations. CVE-2024-45336 Vulnerability Details CVEID:CVE-2024-45336 DESCRIPTION: The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an...

Security Bulletin: IBM Storage Ceph is vulnerable to a Rogue Session Attack and Rogue Extension Negotiation in python-asyncssh (CVE-2023-46446, CVE-2023-46445)

Summary python-asyncssh is used by IBM Storage Ceph as an asynchronous client and server implementation of the SSHv2 protocol. CVE-2023-46446, CVE-2023-46445 Vulnerability Details CVEID:CVE-2023-46446 DESCRIPTION: An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an...

Security Bulletin: IBM Storage Ceph is vulnerable to Improper Validation of Integrity Check Value in python-asyncssh (CVE-2023-48795)

Summary python-asyncss is used by IBM Storage Ceph ias an asynchronous client and server implementation of the SSHv2 protocol. CVE-2023-48795 Vulnerability Details CVEID:CVE-2023-48795 DESCRIPTION: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other...

Security Bulletin: IBM Storage Ceph is vulnerable to Asymmetric Resource Consumption in Golang Go (CVE-2025-30204)

Summary Golang Go is used by IBM Storage Ceph as part of RGW and in assorted other locations. CVE-2025-30204 Vulnerability Details CVEID:CVE-2025-30204 DESCRIPTION: golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function...

Security Bulletin: IBM Storage Ceph is vulnerable to Improper Handling of Syntactically Invalid Structure in Grafana (CVE-2025-22865)

Summary Grafana is used by IBM Storage Ceph as part of the dashboard to monitor the stats for each cluster. CVE-2025-22865 Vulnerability Details CVEID:CVE-2025-22865 DESCRIPTION: Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key i...

Security Bulletin: IBM Storage Ceph is vulnerable to Improper Privilege Management in Grafana (CVE-2024-1442)

Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2024-1442 Vulnerability Details CVEID:CVE-2024-1442 DESCRIPTION: A user with the permissions to create a data source can use Grafana API to...

Security Bulletin: IBM Storage Ceph is vulnerable to Allocation of Resources Without Limits or Throttling in Grafana (CVE-2023-45290)

Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. CVE-2023-45290 This bulletin identifies the steps to take to address the vulnerability in Grafana. Vulnerability Details CVEID:CVE-2023-45290 DESCRIPTION: When parsing a multipart form either explicitly with...

Security Bulletin: IBM Storage Ceph is vulnerable to an Infinite Loop in Grafana (CVE-2024-24786)

Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. CVE-2024-24786 This bulletin identifies the steps to take to address the vulnerability in Grafana. Vulnerability Details CVEID:CVE-2024-24786 DESCRIPTION: The protojson.Unmarshal function can enter an infinite loop when...

EUVD-2023-50402

Malicious code in bioql PyPI...

Security Bulletin: IBM Storage Ceph is vulnerable to Placement of User into Incorrect Group in Ceph-crash.service (CVE-2022-3650)

Summary Ceph-crash.service is used by IBM Storage Ceph. CVE-2022-3650 This bulletin identifies the steps to take to address the vulnerability in Ceph. Vulnerability Details CVEID:CVE-2022-3650 DESCRIPTION: Ceph could allow a local authenticated attacker to gain elevated privileges on the system,...

Security Bulletin: IBM Storage Ceph is vulnerable to the Authorization Bypass Through User-Controlled Key in Grafana (CVE-2024-10452)

Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2024-10452 Vulnerability Details CVEID:CVE-2024-10452 DESCRIPTION: Organization admins can delete pending invites created in an organization...