{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-1760", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-04T06:46:30.894Z", "dateReserved": "2019-11-27T00:00:00", "datePublished": "2020-04-23T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-10-23T18:06:26.533482"}, "descriptions": [{"lang": "en", "value": "A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input."}], "affected": [{"vendor": "[UNKNOWN]", "product": "ceph", "versions": [{"version": "15.2.1", "status": "affected"}, {"version": "14.2.9", "status": "affected"}, {"version": "13.2.9", "status": "affected"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1760"}, {"url": "https://www.openwall.com/lists/oss-security/2020/04/07/1"}, {"name": "FEDORA-2020-81b9c6cddc", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P3A2UFR5IUIEXJUCF64GQ5OVLCZGODXE/"}, {"name": "USN-4528-1", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/4528-1/"}, {"name": "GLSA-202105-39", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202105-39"}, {"name": "[debian-lts-announce] 20210810 [SECURITY] [DLA 2735-1] ceph security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00013.html"}, {"name": "[debian-lts-announce] 20231023 [SECURITY] [DLA 3629-1] ceph security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-79", "cweId": "CWE-79"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T06:46:30.894Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1760", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2020/04/07/1", "tags": ["x_transferred"]}, {"name": "FEDORA-2020-81b9c6cddc", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P3A2UFR5IUIEXJUCF64GQ5OVLCZGODXE/"}, {"name": "USN-4528-1", "tags": ["vendor-advisory", "x_transferred"], "url": "https://usn.ubuntu.com/4528-1/"}, {"name": "GLSA-202105-39", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202105-39"}, {"name": "[debian-lts-announce] 20210810 [SECURITY] [DLA 2735-1] ceph security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00013.html"}, {"name": "[debian-lts-announce] 20231023 [SECURITY] [DLA 3629-1] ceph security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:ceph:*:*:*:*:*:*:*:*", "matchCriteriaId": "26BB96DD-5842-4227-8B10-984C536A5FFB", "versionEndExcluding": "14.2.21", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "516F4E8E-ED2F-4282-9DAB-D8B378F61258", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "D6E54096-5D45-4CB2-AC9A-DDB55BF2B94C", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*", "matchCriteriaId": "4C85A84D-A70F-4B02-9E5D-CD9660ABF048", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en Ceph Object Gateway, donde admite peticiones enviadas por un usuario an\u00f3nimo en Amazon S3. Este fallo podr\u00eda conllevar a posibles ataques de tipo XSS debido a una falta de neutralizaci\u00f3n apropiada de una entrada no segura."}], "id": "CVE-2020-1760", "lastModified": "2024-11-21T05:11:19.730", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.7, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-23T15:15:14.607", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1760"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00013.html"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P3A2UFR5IUIEXJUCF64GQ5OVLCZGODXE/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202105-39"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4528-1/"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2020/04/07/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1760"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00013.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P3A2UFR5IUIEXJUCF64GQ5OVLCZGODXE/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202105-39"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4528-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2020/04/07/1"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Robin H. Johnson (DigitalOcean) for reporting this issue. Upstream acknowledges William Bowling as the original reporter.", "affected_release": [{"advisory": "RHSA-2020:3003", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "ceph-2:14.2.8-81.el8cp", "product_name": "Red Hat Ceph Storage 4.1", "release_date": "2020-07-20T00:00:00Z"}, {"advisory": "RHSA-2020:3003", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "ceph-ansible-0:4.0.25-1.el8cp", "product_name": "Red Hat Ceph Storage 4.1", "release_date": "2020-07-20T00:00:00Z"}, {"advisory": "RHSA-2020:3003", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "ceph-medic-0:1.0.8-1.el8cp", "product_name": "Red Hat Ceph Storage 4.1", "release_date": "2020-07-20T00:00:00Z"}, {"advisory": "RHSA-2020:3003", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "cockpit-ceph-installer-0:1.2-0.el7cp", "product_name": "Red Hat Ceph Storage 4.1", "release_date": "2020-07-20T00:00:00Z"}, {"advisory": "RHSA-2020:3003", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "nfs-ganesha-0:2.8.3-8.el7cp", "product_name": "Red Hat Ceph Storage 4.1", "release_date": "2020-07-20T00:00:00Z"}], "bugzilla": {"description": "ceph: header-splitting in RGW GetObject has a possible XSS", "id": "1812962", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1812962"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-79", "details": ["A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.", "A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input."], "mitigation": {"lang": "en:us", "value": "* Mitigation provided by DigitalOcean:\nMitigation relies on the HAProxy load-balancers in front of RGW, and uses HAProxy ACLs combined with in-house Lua embedded in HAProxy.\n1. Detect usage of the query-parameters without any signature (either pre-signed or header), and return S3-formatted error.\n2. Validate the content in the query-parameters, return S3-formatted error.\nHAProxy mitigation:\n===\nacl req_s3_GetObject REDACTED ## redacted uses internal Lua to detect GetObject\nacl has_accesskey REDACTED ## redacted uses internal Lua to detect & validate signature\n# detection 1, QPs present\nacl req_s3_GetObject_urlp_response url_param(response-cache-control) -m found\nacl req_s3_GetObject_urlp_response url_param(response-expires) -m found\nacl req_s3_GetObject_urlp_response url_param(response-content-disposition) -m found\nacl req_s3_GetObject_urlp_response url_param(response-content-encoding) -m found\nacl req_s3_GetObject_urlp_response url_param(response-content-language) -m found\nacl req_s3_GetObject_urlp_response url_param(response-content-type) -m found\n# detection 2, QPs containing unprintable ascii incl CRLR\nacl req_s3_GetObject_urlp_response_crlf url_param(response-cache-control) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f\nacl req_s3_GetObject_urlp_response_crlf url_param(response-expires) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f\nacl req_s3_GetObject_urlp_response_crlf url_param(response-content-disposition) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f\nacl req_s3_GetObject_urlp_response_crlf url_param(response-content-encoding) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f\nacl req_s3_GetObject_urlp_response_crlf url_param(response-content-language) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f\nacl req_s3_GetObject_urlp_response_crlf url_param(response-content-type) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f\n# block for detection 1\nhttp-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response !has_accesskey\n# block for detection 2\nhttp-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response_crlf\n==="}, "name": "CVE-2020-1760", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "package_name": "ceph", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:15", "fix_state": "Will not fix", "package_name": "ceph", "product_name": "Red Hat OpenStack Platform 15 (Stein)"}], "public_date": "2020-04-06T17:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-1760\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-1760\nhttps://www.openwall.com/lists/oss-security/2020/04/07/1"], "statement": "Red Hat OpenStack Platform 15 (RHOSP) packages Ceph but no longer uses it, instead pulling ceph directly from the Red Hat Ceph Storage 4 repository. For this reason, RHOSP will not be updated for this flaw.\nThis issue affects the versions of ceph as shipped with Red Hat Ceph Storage 3, 4 and Red Hat Openshift Container Storage 4.2 as it allows unauthenticated requests sent by an anonymous user for Amazon S3.", "threat_severity": "Moderate", "upstream_fix": "ceph 15.2.1, ceph 14.2.9, ceph 13.2.9"}