CVE-2018-10861
ceph: ceph-mon does not perform authorization on OSD pool ops
Severity Score
8.1
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. Ceph branches master, mimic, luminous and jewel are believed to be affected.
Se ha encontrado un error en la forma en la que ceph mon maneja las peticiones de usuario. Cualquier usuario de ceph autenticado que tenga acceso de lectura en ceph puede eliminar, crear pools de almacenamiento de ceph y corromper imágenes instantáneas. Se cree que las ramas de ceph master, mimic, luminous y jewel se han visto afectadas.
A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete and corrupt snapshot images
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-05-09 CVE Reserved
- 2018-07-10 CVE Published
- 2024-02-03 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-285: Improper Authorization
- CWE-287: Improper Authentication
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/104742 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1593308 | 2018-07-26 | |
| https://github.com/ceph/ceph/commit/975528f632f73fbffa3f1fee304e3bbe3296cffc | 2019-10-09 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00100.html | 2019-10-09 | |
| http://tracker.ceph.com/issues/24838 | 2019-10-09 | |
| https://access.redhat.com/errata/RHSA-2018:2177 | 2019-10-09 | |
| https://access.redhat.com/errata/RHSA-2018:2179 | 2019-10-09 | |
| https://access.redhat.com/errata/RHSA-2018:2261 | 2019-10-09 | |
| https://access.redhat.com/errata/RHSA-2018:2274 | 2019-10-09 | |
| https://www.debian.org/security/2018/dsa-4339 | 2019-10-09 | |
| https://access.redhat.com/security/cve/CVE-2018-10861 | 2018-07-26 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 10.2.0 Search vendor "Ceph" for product "Ceph" and version "10.2.0" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 10.2.1 Search vendor "Ceph" for product "Ceph" and version "10.2.1" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 10.2.2 Search vendor "Ceph" for product "Ceph" and version "10.2.2" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 10.2.3 Search vendor "Ceph" for product "Ceph" and version "10.2.3" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 10.2.4 Search vendor "Ceph" for product "Ceph" and version "10.2.4" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 10.2.5 Search vendor "Ceph" for product "Ceph" and version "10.2.5" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 10.2.6 Search vendor "Ceph" for product "Ceph" and version "10.2.6" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 10.2.7 Search vendor "Ceph" for product "Ceph" and version "10.2.7" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 10.2.8 Search vendor "Ceph" for product "Ceph" and version "10.2.8" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 10.2.9 Search vendor "Ceph" for product "Ceph" and version "10.2.9" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 10.2.10 Search vendor "Ceph" for product "Ceph" and version "10.2.10" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 10.2.11 Search vendor "Ceph" for product "Ceph" and version "10.2.11" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 12.2.0 Search vendor "Ceph" for product "Ceph" and version "12.2.0" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 12.2.1 Search vendor "Ceph" for product "Ceph" and version "12.2.1" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 12.2.2 Search vendor "Ceph" for product "Ceph" and version "12.2.2" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 12.2.3 Search vendor "Ceph" for product "Ceph" and version "12.2.3" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 12.2.4 Search vendor "Ceph" for product "Ceph" and version "12.2.4" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 12.2.5 Search vendor "Ceph" for product "Ceph" and version "12.2.5" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 12.2.6 Search vendor "Ceph" for product "Ceph" and version "12.2.6" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 12.2.7 Search vendor "Ceph" for product "Ceph" and version "12.2.7" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 13.2.0 Search vendor "Ceph" for product "Ceph" and version "13.2.0" | - |
Affected
| ||||||
| Ceph Search vendor "Ceph" | Ceph Search vendor "Ceph" for product "Ceph" | 13.2.1 Search vendor "Ceph" for product "Ceph" and version "13.2.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ceph Storage Search vendor "Redhat" for product "Ceph Storage" | 3 Search vendor "Redhat" for product "Ceph Storage" and version "3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ceph Storage Mon Search vendor "Redhat" for product "Ceph Storage Mon" | 2 Search vendor "Redhat" for product "Ceph Storage Mon" and version "2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ceph Storage Mon Search vendor "Redhat" for product "Ceph Storage Mon" | 3 Search vendor "Redhat" for product "Ceph Storage Mon" and version "3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ceph Storage Osd Search vendor "Redhat" for product "Ceph Storage Osd" | 2 Search vendor "Redhat" for product "Ceph Storage Osd" and version "2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ceph Storage Osd Search vendor "Redhat" for product "Ceph Storage Osd" | 3 Search vendor "Redhat" for product "Ceph Storage Osd" and version "3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.0 Search vendor "Opensuse" for product "Leap" and version "15.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||