An unprivileged user can write to any bucket(s) accessible by a given key if a POST’s form-data contains a key called ‘bucket’ with a value matching the name of the bucket used to sign the request. The result of this is that a user could actually upload to any bucket accessible by the specified access key as long as the bucket in the POST policy matches the bucket in said POST form part. Fix this simply by setting the bucket to the correct value after the POST form parts are processed, ignoring the form part above if specified.
Hi Anten, This shouldn't impact OpenStack (at least directly). librgw is from the ceph package. OpenStack pulls this from RHEL or Ceph directly on all the releases. It will cause container grade updates after it's resolved.
This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:5693 https://access.redhat.com/errata/RHSA-2023:5693
This issue has been addressed in the following products: Red Hat Ceph Storage 5.3 Via RHSA-2024:0745 https://access.redhat.com/errata/RHSA-2024:0745