CVE-2021-3531
ceph: RGW unauthenticated denial of service
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21. When processing a GET Request for a swift URL that ends with two slashes it can cause the rgw to crash, resulting in a denial of service. The greatest threat to the system is of availability.
Se encontró un fallo en Red Hat Ceph Storage RGW en versiones anteriores a 14.2.21. Cuando se procesa una petición GET para una URL rápida que termina con dos barras, puede hacer que rgw pueda bloquearse, resultando en una denegación de servicio. La mayor amenaza para el sistema es la disponibilidad
A flaw was found in the Red Hat Ceph Storage RGW. When processing a GET Request for a swift URL that ends with two slashes, it can cause the RGW to crash, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
It was discovered that in some situations Ceph logged passwords from the mgr module in clear text. An attacker could use this to expose sensitive information. Goutham Pacha Ravi, Jahson Babel, and John Garbutt discovered that user credentials in Ceph could be manipulated in certain environments. An attacker could use this to gain unintended access. It was discovered that the Ceph dashboard was susceptible to a cross-site scripting attack. An attacker could use this to expose sensitive information or gain unintended access. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-03 CVE Reserved
- 2021-05-18 CVE Published
- 2024-08-03 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-617: Reachable Assertion
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2021/05/14/5 | 2023-11-07 | |
| http://www.openwall.com/lists/oss-security/2021/05/17/7 | 2023-11-07 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1955326 | 2022-04-04 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Ceph Search vendor "Redhat" for product "Ceph" | < 14.2.21 Search vendor "Redhat" for product "Ceph" and version " < 14.2.21" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ceph Storage Search vendor "Redhat" for product "Ceph Storage" | 4.0 Search vendor "Redhat" for product "Ceph Storage" and version "4.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||