Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2323277

Summary: CVE-2024-48916 ceph: Authentication bypass in CEPH RadosGW [ceph-6]
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Sage McTaggart <amctagga>
Component: SecurityAssignee: Justin Caratzas <jcaratza>
Status: CLOSED DUPLICATE QA Contact: Vivek Das <vdas>
Severity: high Docs Contact:
Priority: high    
Version: 6.1CC: abhraj, amctagga, ceph-eng-bugs, cephqe-warriors, jcaratza, saraut, sostapov, vdas
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: 6.1z9   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2323276 Environment:
Last Closed: 2025-04-21 15:08:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2323279    

Description Sage McTaggart 2024-11-01 21:06:13 UTC 
+++ This bug was initially created as a clone of Bug #2323276 +++

+++ This bug was initially created as a clone of Bug #2323274 +++

https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq
Summary below: 
Description
Summary

It is possible to bypass the CEPH rados authentication gw by proving an JWT as demonstrated in the PoC. In this case Keycloak is used as IdP.

This was found during a penetration test. Please assign CVE and credit me as finding this vulnerability. Do not mention the customer/organisation in public reports etc.

Details has also been provided to security before. As always, please fix this within 90 days as we plan to go public.
Details

It is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked.

The vulnerability is probably in the RadosGW OIDC provider.
PoC

The HTTP request can be found below. But without the JWT:

POST / HTTP/2
Host: storage.xxx.se
User-Agent: aws-sdk-go-v2/1.18.0 os/macos lang/go/1.21.1 X:nocoverageredesign md/GOOS/darwin md/GOARCH/arm64 api/sts/1.19.0
Content-Type: application/x-www-form-urlencoded
Amz-Sdk-Invocation-Id: 30a74697-7d7e-4c02-b041-97d68156ee78
Amz-Sdk-Request: attempt=1; max=3
Content-Length: 1508
Accept-Encoding: gzip, deflate, br

Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleArn=arn%3Aaws%3Aiam%3A%3Aorg_pentest002%3Arole%2Fu-pentest002STS&RoleSessionName=test&Version=2011-06-15&WebIdentityToken=ey..

Impact

This was found during a penetration test. Please assign CVE and credit me as finding this vulnerability. We can also request CVE from Mitre.
Comment 5 Red Hat Bugzilla 2025-08-20 04:25:04 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days