Ceph Security Vulnerabilities and Issues — Ceph CVE List

LinuxfoundationCeph

8 matches found

CVE•added 2020/06/26 12:0 a.m.•286 views

CVE-2020-10753

CVE-2020-10753 affects Red Hat Ceph Storage RadosGW (Ceph Object Gateway). A newline in a CORS ExposeHeader tag in the CORS configuration can inject HTTP headers into responses, enabling header injection during CORS requests. The issue is reported for Ceph RGW in versions 3.x and 4.x (with relate...

6.5CVSS6.5AI score0.01627EPSS

CVE•added 2020/04/23 12:0 a.m.•261 views

CVE-2020-1760

CVE-2020-1760 affects Ceph RGW (Ceph Object Gateway): an anonymous S3 request can trigger cross-site scripting due to insufficient input neutralization. The issue is rooted in how untrusted input is handled in the RGW/ExposeHeader scenarios, enabling potential XSS when a path to a publicly readab...

6.1CVSS5.9AI score0.01525EPSS

CVE•added 2021/04/15 12:0 a.m.•226 views

CVE-2021-20288

Ceph CVE-2021-20288 is an authentication flaw in Ceph before certain fixed releases. The root cause is that CEPHX_GET_AUTH_SESSION_KEY handling does not sanitize other_keys, allowing reuse of old keys when a global_id is requested, enabling a user to leverage a global_id previously associated wit...

7.2CVSS6.8AI score0.0211EPSS

CVE•added 2020/04/13 12:4 p.m.•209 views

CVE-2020-1759

CVE-2020-1759 affects Red Hat Ceph Storage 4 and Red Hat OpenShift Container Storage 4.2, where the secure mode of the messenger v2 protocol (msgr2) allows nonce reuse. This enables forging authentication tags and can lead to confidentiality and integrity problems in sessions when a nonce is reus...

6.8CVSS6.5AI score0.01373EPSS

CVE•added 2020/04/21 3:27 p.m.•184 views

CVE-2020-1699

CVE-2020-1699 affects Ceph’s dashboard in upstream Ceph v14.2.5, v14.2.6, and v15.0.0, enabling information disclosure via a path traversal flaw. It is fixed in v14.2.7 and v15.1.0. The vulnerability is exploitable by an unauthenticated attacker and could reveal host-machine information running t...

7.5CVSS7.1AI score0.02092EPSS

CVE•added 2022/07/25 1:58 p.m.•162 views

CVE-2022-0670

CVE-2022-0670 affects Ceph/Manailla integration for OpenStack CephFS shares via the volumes plugin in Ceph Manager. The root cause is a bug in the volumes plugin that lets the share owner read/write any Manila share or the entire filesystem, compromising confidentiality and integrity. Remediation...

9.1CVSS8.9AI score0.00924EPSS

CVE•added 2020/04/22 12:0 a.m.•153 views

CVE-2020-12059

CVE-2020-12059 affects Ceph RGW; up to Ceph 13.2.9, a POST request with an invalid tagging XML can crash the RGW process by triggering a NULL pointer exception, causing a Denial of Service. Debian and Red Hat advisories confirm fixes: Debian 10 (buster) patched via ceph 12.2.11+dfsg1-2.1+deb10u1,...

7.5CVSS7.3AI score0.02654EPSS

CVE•added 2020/06/22 5:49 p.m.•107 views

CVE-2020-10736

CVE-2020-10736 affects Ceph 15.2.0 up to, but not including, 15.2.2. The root cause is an authorization bypass in ceph-mon and ceph-mgr that allows an authenticated client to access unauthorized resources and modify configuration, potentially enabling further attacks. The documented impact is hig...

8CVSS7.5AI score0.00646EPSS