Red Hat Ceph 14.2.14

CPE Details

Red Hat Ceph 14.2.14
redhat
ceph
14.2.14
2020-12-09
15h49 +00:00
2020-12-09
15h49 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:redhat:ceph:14.2.14:*:*:*:*:*:*:*

Informations

Vendor

redhat

Product

ceph

Version

14.2.14

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2020-27839 2021-05-26 19h25 +00:00 A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browser’s localStorage which is potentially vulnerable to attackers via XSS attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
5.4
Medium
CVE-2021-3531 2021-05-17 22h00 +00:00 A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21. When processing a GET Request for a swift URL that ends with two slashes it can cause the rgw to crash, resulting in a denial of service. The greatest threat to the system is of availability.
5.3
Medium
CVE-2021-3524 2021-05-16 22h00 +00:00 A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.
6.5
Medium
CVE-2020-25678 2021-01-08 17h59 +00:00 A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.
4.4
Medium
CVE-2020-27781 2020-12-17 23h00 +00:00 User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even "admin" users, compromising the ceph administrator. This flaw affects Ceph versions prior to 14.2.16, 15.x prior to 15.2.8, and 16.x prior to 16.2.0.
7.1
High