Bug 1403007 - An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.
Summary: An anonymous user can provoke an abort() of the RGW server by sending a reque...
Keywords:
Status: CLOSED DUPLICATE of bug 1404375
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 1.3.3
Hardware: All
OS: All
unspecified
urgent
Target Milestone: rc
: 1.3.3
Assignee: Matt Benjamin (redhat)
QA Contact: ceph-qe-bugs
URL:
Whiteboard:
Depends On:
Blocks: CVE-2016-9579
TreeView+ depends on / blocked
 
Reported: 2016-12-08 21:00 UTC by Matt Benjamin (redhat)
Modified: 2017-07-30 16:03 UTC (History)
10 users (show)

Fixed In Version: RHEL: ceph-0.94.9-9.el7cp Ubuntu: ceph_0.94.9-10redhat1trusty
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1403003
Environment:
Last Closed: 2016-12-16 17:03:54 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 18187 0 None None None 2016-12-08 21:00:55 UTC

Comment 7 Ken Dreyer (Red Hat) 2016-12-16 17:03:54 UTC
Siddharth filed a security bug for RHCS 1.3, and we'll use that instead: bz 1404375

*** This bug has been marked as a duplicate of bug 1404375 ***


Note You need to log in before you can comment on or make changes to this bug.