All the vulnerabilites related to Red Hat - Red Hat Ceph Storage
cve-2020-10753
Vulnerability from cvelistv5
Published
2020-06-26 00:00
Modified
2024-08-04 11:14
Severity ?
EPSS score ?
Summary
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. Ceph versions 3.x and 4.x are vulnerable to this issue.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Red Hat | Red Hat Ceph Storage |
Version: versions 3.x and 4.x |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T11:14:15.190Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10753" }, { "name": "openSUSE-SU-2020:0898", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00062.html" }, { "name": "FEDORA-2020-c9bff9688e", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFU7LXEL2UZE565FJBTY7UGH2O7ZUBVS/" }, { "name": "USN-4528-1", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://usn.ubuntu.com/4528-1/" }, { "name": "GLSA-202105-39", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202105-39" }, { "name": "[debian-lts-announce] 20210810 [SECURITY] [DLA 2735-1] ceph security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00013.html" }, { "name": "[debian-lts-announce] 20231023 [SECURITY] [DLA 3629-1] ceph security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Red Hat Ceph Storage", "vendor": "Red Hat", "versions": [ { "status": "affected", "version": "versions 3.x and 4.x" } ] } ], "descriptions": [ { "lang": "en", "value": "A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. Ceph versions 3.x and 4.x are vulnerable to this issue." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-113", "description": "CWE-113", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-23T18:06:17.659671", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10753" }, { "name": "openSUSE-SU-2020:0898", "tags": [ "vendor-advisory" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00062.html" }, { "name": "FEDORA-2020-c9bff9688e", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFU7LXEL2UZE565FJBTY7UGH2O7ZUBVS/" }, { "name": "USN-4528-1", "tags": [ "vendor-advisory" ], "url": "https://usn.ubuntu.com/4528-1/" }, { "name": "GLSA-202105-39", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202105-39" }, { "name": "[debian-lts-announce] 20210810 [SECURITY] [DLA 2735-1] ceph security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00013.html" }, { "name": "[debian-lts-announce] 20231023 [SECURITY] [DLA 3629-1] ceph security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-10753", "datePublished": "2020-06-26T00:00:00", "dateReserved": "2020-03-20T00:00:00", "dateUpdated": "2024-08-04T11:14:15.190Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }