2392386 – (CVE-2024-47866) CVE-2024-47866 rgw: RGW DoS attack with empty HTTP header in S3 object copy

Bug 2392386 (CVE-2024-47866) - CVE-2024-47866 rgw: RGW DoS attack with empty HTTP header in S3 object copy

Summary: CVE-2024-47866 rgw: RGW DoS attack with empty HTTP header in S3 object copy

Keywords:
Status:	NEW
Alias:	CVE-2024-47866
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2392479 2392480 2392482
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-01 13:36 UTC by OSIDB Bzimport
Modified:	2026-02-17 00:51 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:2769	0	None	None	None	2026-02-17 00:51:16 UTC

Description OSIDB Bzimport 2025-09-01 13:36:05 UTC

Ceph RGW will crash if x-amz-copy-source is used to put an empty string as the object, resulting in impact to availability.

Comment 2 errata-xmlrpc 2026-02-17 00:51:15 UTC

This issue has been addressed in the following products:

  Red Hat Ceph Storage 7.1

Via RHSA-2026:2769 https://access.redhat.com/errata/RHSA-2026:2769

Note You need to log in before you can comment on or make changes to this bug.