Improper Input Validation Affecting ceph package, versions <16.2.4-0ubuntu1


Severity

Recommended
0.0
medium
0
10

Based on Ubuntu security rating.

Threat Intelligence

EPSS
0.72% (82nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-UBUNTU2204-CEPH-2784749
  • published21 May 2021
  • disclosed17 May 2021

Introduced: 17 May 2021

CVE-2021-3524  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade Ubuntu:22.04 ceph to version 16.2.4-0ubuntu1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ceph package and not the ceph package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.

CVSS Scores

version 3.1