Уязвимость CVE-2021-3524: Информация
Описание
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.
Важность: MEDIUM (6,5) Вектор: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Исправленные пакеты
Имя пакета | Ветка | Исправлено в версии | Версия в репозитории | Errata ID | № Задания | Состояние |
---|---|---|---|---|---|---|
ceph | sisyphus | 15.2.5-alt1 | 18.2.1-alt2.1 | ALT-PU-2020-2845-1 | 258345 | Исправлено |
ceph | p10 | 15.2.5-alt1 | 17.2.7-alt2 | ALT-PU-2020-2845-1 | 258345 | Исправлено |
ceph | p9 | 14.2.21-alt1 | 14.2.22-alt1 | ALT-PU-2021-1830-1 | 271937 | Исправлено |
ceph | c10f1 | 15.2.5-alt1 | 17.2.6-alt2 | ALT-PU-2020-2845-1 | 258345 | Исправлено |
ceph | c9f2 | 14.2.22-alt1 | 14.2.22-alt1 | ALT-PU-2021-2332-1 | 279851 | Исправлено |
Ссылки на рекомендации, решения и инструменты
Ссылка | Ресурс |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1951674 |
|
[debian-lts-announce] 20210810 [SECURITY] [DLA 2735-1] ceph security update |
|
[debian-lts-announce] 20231023 [SECURITY] [DLA 3629-1] ceph security update | |
FEDORA-2021-ec414c5e18 | |
FEDORA-2021-6e540b85b9 | |
FEDORA-2021-1bf13db941 |