Bug 1372438 - RGW permits bucket listing when authenticated_users=read
Summary: RGW permits bucket listing when authenticated_users=read
Keywords:
Status: CLOSED DUPLICATE of bug 1372572
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 1.3.2
Hardware: All
OS: All
unspecified
high
Target Milestone: rc
: 1.3.3
Assignee: Matt Benjamin (redhat)
QA Contact: ceph-qe-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-01 17:33 UTC by Matt Benjamin (redhat)
Modified: 2017-07-30 15:44 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-07 14:57:59 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 13207 0 None None None 2016-09-01 17:36:22 UTC
Red Hat Bugzilla 1372446 0 medium CLOSED CVE-2016-7031 ceph: RGW permits bucket listing when authenticated_users=read 2021-02-22 00:41:40 UTC

Internal Links: 1372446

Description Matt Benjamin (redhat) 2016-09-01 17:33:49 UTC
Description of problem:

An anonymous S3 user may be able to (incorrectly) list the contents of a bucket which has an authenticated_users=read ACL.


Version-Release number of selected component (if applicable):
1.3.x


Additional info:
This issue corresponds to upstream tracker issue
http://tracker.ceph.com/issues/13207

Fixed on master in
https://github.com/ceph/ceph/pull/6057 

Fix pulled to ceph-1.3-rhel-patches
commit eabd06622cff8fbc0d2fe612de2538d034e7fb24
(cherry picked from commit 99ba6610a8f437604cadf68cbe9969def893e870)


Note You need to log in before you can comment on or make changes to this bug.