CVE-2015-5245 – Ceph: RGW returns requested bucket name raw in Bucket response header

https://notcve.org/view.php?id=CVE-2015-5245

CRLF injection vulnerability in the Ceph Object Gateway (aka radosgw or RGW) in Ceph before 0.94.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted bucket name. Vulnerabilidad de inyección CRLF en la Ceph Object Gateway (también conocida como radosgw o RGW) en Ceph en versiones anteriores a 0.94.4 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y llevar a cabo ataques de separación de respuesta HTTP a través de un nombre de contenedor manipulado. A feature in Ceph Object Gateway (RGW) allows to return a specific HTTP header that contains the name of a bucket that was accessed. It was found that the returned HTTP headers were not sanitized. An unauthenticated attacker could use this flaw to craft HTTP headers in responses that would confuse the load balancer residing in front of RGW, potentially resulting in a denial of service. • http://lists.ceph.com/pipermail/ceph-announce-ceph.com/2015-October/000034.html http://tracker.ceph.com/issues/12537 https://access.redhat.com/errata/RHSA-2015:2512 https://access.redhat.com/security/cve/CVE-2015-5245 https://bugzilla.redhat.com/show_bug.cgi?id=1261606 • CWE-20: Improper Input Validation •