ContextQMD
Back to Ceph

Past vulnerabilities

doc/security/cves.rst

21.0.08.9 KB
Original Source

Past vulnerabilities

+------------+-------------------+-------------+---------------------------------------------+ | Published | CVE | Severity | Summary | +------------+-------------------+-------------+---------------------------------------------+ | 2023-02-02 | CVE-2023-46159_ | Medium | DoS from RGW | +------------+-------------------+-------------+---------------------------------------------+ | 2023-01-17 | CVE-2022-3650_ | High | ceph-crash run as user, not root | +------------+-------------------+-------------+---------------------------------------------+ | 2022-07-21 | CVE-2022-0670_ | Medium | Native-CephFS Manila Path-restriction bypass| +------------+-------------------+-------------+---------------------------------------------+ | 2021-05-13 | CVE-2021-3531_ | Medium | Swift API denial of service | +------------+-------------------+-------------+---------------------------------------------+ | 2021-05-13 | CVE-2021-3524_ | Medium | HTTP header injects via CORS in RGW | +------------+-------------------+-------------+---------------------------------------------+ | 2021-05-13 | CVE-2021-3509_ | High | Dashboard XSS via token cookie | +------------+-------------------+-------------+---------------------------------------------+ | 2021-04-14 | CVE-2021-20288_ | High | Unauthorized global_id reuse in cephx | +------------+-------------------+-------------+---------------------------------------------+ | 2020-12-18 | CVE-2020-27781_ | 7.1 High | CephFS creds read/modified by Manila users | +------------+-------------------+-------------+---------------------------------------------+ | 2021-01-08 | CVE-2020-25678_ | 4.9 Medium | mgr module passwords in clear text | +------------+-------------------+-------------+---------------------------------------------+ | 2020-12-07 | CVE-2020-25677_ | 5.5 Medium | ceph-ansible iscsi-gateway.conf perm | +------------+-------------------+-------------+---------------------------------------------+ | 2020-11-23 | CVE-2020-25660_ | 8.8 High | Cephx replay vulnerability | +------------+-------------------+-------------+---------------------------------------------+ | 2020-04-22 | CVE-2020-12059_ | 7.5 High | malformed POST could crash RGW | +------------+-------------------+-------------+---------------------------------------------+ | 2020-06-26 | CVE-2020-10753_ | 6.5 Medium | HTTP header injects via CORS in RGW | +------------+-------------------+-------------+---------------------------------------------+ | 2020-06-22 | CVE-2020-10736_ | 8.0 High | authorization bypass in mon and mgr | +------------+-------------------+-------------+---------------------------------------------+ | 2020-04-23 | CVE-2020-1760_ | 6.1 Medium | potential RGW XSS attack | +------------+-------------------+-------------+---------------------------------------------+ | 2020-04-13 | CVE-2020-1759_ | 6.8 Medium | Cephx nonce reuse in secure mode | +------------+-------------------+-------------+---------------------------------------------+ | 2020-02-07 | CVE-2020-1700_ | 6.5 Medium | RGW disconnects leak sockets, can DoS | +------------+-------------------+-------------+---------------------------------------------+ | 2020-04-21 | CVE-2020-1699_ | 7.5 High | Dashboard path traversal flaw | +------------+-------------------+-------------+---------------------------------------------+ | 2019-12-23 | CVE-2019-19337_ | 6.5 Medium | RGW DoS via malformed headers | +------------+-------------------+-------------+---------------------------------------------+ | 2019-11-08 | CVE-2019-10222_ | 7.5 High | Invalid HTTP headers could crash RGW | +------------+-------------------+-------------+---------------------------------------------+ | 2019-03-27 | CVE-2019-3821_ | 7.5 High | RGW file descriptors could be exhausted | +------------+-------------------+-------------+---------------------------------------------+ | 2019-01-28 | CVE-2018-16889_ | 7.5 High | encryption keys logged in plaintext | +------------+-------------------+-------------+---------------------------------------------+ | 2019-01-15 | CVE-2018-16846_ | 6.5 Medium | authenticated RGW users can cause DoS | +------------+-------------------+-------------+---------------------------------------------+ | 2019-01-15 | CVE-2018-14662_ | 5.7 Medium | read-only users could steal dm-crypt keys | +------------+-------------------+-------------+---------------------------------------------+ | 2018-07-10 | CVE-2018-10861_ | 8.1 High | authenticated user can create/delete pools | +------------+-------------------+-------------+---------------------------------------------+ | 2018-03-19 | CVE-2018-7262_ | 7.5 High | malformed headers can cause RGW DoS | +------------+-------------------+-------------+---------------------------------------------+ | 2018-07-10 | CVE-2018-1129_ | 6.5 Medium | network MITM can tamper with messages | +------------+-------------------+-------------+---------------------------------------------+ | 2018-07-10 | CVE-2018-1128_ | 7.5 High | Cephx replay vulnerability | +------------+-------------------+-------------+---------------------------------------------+ | 2018-07-27 | CVE-2017-7519_ | 4.4 Medium | libradosstriper unvalidated format string | +------------+-------------------+-------------+---------------------------------------------+ | 2018-08-01 | CVE-2016-9579_ | 7.6 High | potential RGW XSS attack | +------------+-------------------+-------------+---------------------------------------------+ | 2018-07-31 | CVE-2016-8626_ | 6.5 Medium | malformed POST can DoS RGW | +------------+-------------------+-------------+---------------------------------------------+ | 2016-10-03 | CVE-2016-7031_ | 7.5 High | RGW unauthorized bucket listing | +------------+-------------------+-------------+---------------------------------------------+ | 2016-07-12 | CVE-2016-5009_ | 6.5 Medium | mon command handler DoS | +------------+-------------------+-------------+---------------------------------------------+ | 2016-12-03 | CVE-2015-5245_ | | RGW header injection | +------------+-------------------+-------------+---------------------------------------------+

.. toctree:: :hidden: :maxdepth: 0

CVE-2022-0670 <CVE-2022-0670.rst>
CVE-2021-3531 <CVE-2021-3531.rst>
CVE-2021-3524 <CVE-2021-3524.rst>
CVE-2021-3509 <CVE-2021-3509.rst>
CVE-2021-20288 <CVE-2021-20288.rst>

.. _CVE-2023-46159: https://nvd.nist.gov/vuln/detail/cve-2023-46159 .. _CVE-2022-3650: https://nvd.nist.gov/vuln/detail/cve-2022-3650 .. _CVE-2022-0670: ../CVE-2022-0670 .. _CVE-2021-3531: ../CVE-2021-3531 .. _CVE-2021-3524: ../CVE-2021-3524 .. _CVE-2021-3509: ../CVE-2021-3509 .. _CVE-2021-20288: ../CVE-2021-20288 .. _CVE-2020-27781: https://nvd.nist.gov/vuln/detail/CVE-2020-27781 .. _CVE-2020-25678: https://nvd.nist.gov/vuln/detail/CVE-2020-25678 .. _CVE-2020-25677: https://nvd.nist.gov/vuln/detail/CVE-2020-25677 .. _CVE-2020-25660: https://nvd.nist.gov/vuln/detail/CVE-2020-25660 .. _CVE-2020-12059: https://nvd.nist.gov/vuln/detail/CVE-2020-12059 .. _CVE-2020-10753: https://nvd.nist.gov/vuln/detail/CVE-2020-10753 .. _CVE-2020-10736: https://nvd.nist.gov/vuln/detail/CVE-2020-10736 .. _CVE-2020-1760: https://nvd.nist.gov/vuln/detail/CVE-2020-1760 .. _CVE-2020-1759: https://nvd.nist.gov/vuln/detail/CVE-2020-1759 .. _CVE-2020-1700: https://nvd.nist.gov/vuln/detail/CVE-2020-1700 .. _CVE-2020-1699: https://nvd.nist.gov/vuln/detail/CVE-2020-1699 .. _CVE-2019-19337: https://nvd.nist.gov/vuln/detail/CVE-2019-19337 .. _CVE-2019-10222: https://nvd.nist.gov/vuln/detail/CVE-2019-10222 .. _CVE-2019-3821: https://nvd.nist.gov/vuln/detail/CVE-2019-3821 .. _CVE-2018-16889: https://nvd.nist.gov/vuln/detail/CVE-2018-16889 .. _CVE-2018-16846: https://nvd.nist.gov/vuln/detail/CVE-2018-16846 .. _CVE-2018-14662: https://nvd.nist.gov/vuln/detail/CVE-2018-14662 .. _CVE-2018-10861: https://nvd.nist.gov/vuln/detail/CVE-2018-10861 .. _CVE-2018-7262: https://nvd.nist.gov/vuln/detail/CVE-2018-7262 .. _CVE-2018-1129: https://nvd.nist.gov/vuln/detail/CVE-2018-1129 .. _CVE-2018-1128: https://nvd.nist.gov/vuln/detail/CVE-2018-1128 .. _CVE-2017-7519: https://nvd.nist.gov/vuln/detail/CVE-2017-7519 .. _CVE-2016-9579: https://nvd.nist.gov/vuln/detail/CVE-2016-9579 .. _CVE-2016-8626: https://nvd.nist.gov/vuln/detail/CVE-2016-8626 .. _CVE-2016-7031: https://nvd.nist.gov/vuln/detail/CVE-2016-7031 .. _CVE-2016-5009: https://nvd.nist.gov/vuln/detail/CVE-2016-5009 .. _CVE-2015-5245: https://nvd.nist.gov/vuln/detail/CVE-2015-5245