Bug 2323279 - CVE-2024-48916 ceph-radosgw: Authentication bypass in CEPH RadosGW
Summary: CVE-2024-48916 ceph-radosgw: Authentication bypass in CEPH RadosGW
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: Security
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 8.0z1
Assignee: Scott Ostapovicz
QA Contact: Vivek Das
URL:
Whiteboard:
Depends On: 2323274 2323276 2323277 2335038 2335039
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-01 21:11 UTC by Sage McTaggart
Modified: 2025-04-21 15:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-12-11 14:14:11 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHCEPH-10170 0 None None None 2024-11-01 21:14:19 UTC
Red Hat Product Errata RHSA-2024:10956 0 None None None 2024-12-11 14:14:13 UTC

Description Sage McTaggart 2024-11-01 21:11:05 UTC 
https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq 
upstream CVE report for Ceph storage 
An attacker can bypass the CEPH rados authentication gw by proving an JWT with "none" as the encryption algorithm. This impacts Confidentiality and Availability.
Comment 5 errata-xmlrpc 2024-12-11 14:14:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.0 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:10956
Note You need to log in before you can comment on or make changes to this bug.