Bug 1372446 (CVE-2016-7031)
| Summary: | CVE-2016-7031 ceph: RGW permits bucket listing when authenticated_users=read | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Siddharth Sharma <sisharma> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aortega, apevec, ayoung, ceph-eng-bugs, chrisw, cvsbot-xmlrpc, jschluet, kbasil, lars, lhh, lpeer, markmc, mburns, rbryant, rhos-maint, sclewis, sisharma, slong, srevivo, tdecacqu |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in Ceph RGW code which allows an anonymous user to list contents of RGW bucket by bypassing ACL which should only allow authenticated users to list contents of bucket.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-29 14:35:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1372572 | ||
| Bug Blocks: | 1372443 | ||
|
Description
Siddharth Sharma
2016-09-01 18:22:03 UTC
This issue has been addressed in the following products: Red Hat Ceph Storage 1.3 for RHEL 7 Via RHSA-2016:1972 https://rhn.redhat.com/errata/RHSA-2016-1972.html This issue has been addressed in the following products: Red Hat Ceph Storage 1.3 for Ubuntu Via RHSA-2016:1973 https://rhn.redhat.com/errata/RHSA-2016-1973.html |