CVE-2018-10861 — Improper Authorization in HAT INC Ceph

CWE-285 — Improper Authorization CWE-287 — Improper Authentication8 documents7 sources

Severity

8.1HIGHNVD

EPSS

0.6%

top 31.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT INC Ceph Ceph Debian Linux +7 more

Timeline

PublishedJul 10

Latest updateMay 13

Description

A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. Ceph branches master, mimic, luminous and jewel are believed to be affected.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages9 packages

▶NVDredhat/ceph_storage3

▶NVDredhat/ceph_storage_mon2, 3+1

▶NVDredhat/ceph_storage_osd2, 3+1

▶NVDceph/ceph22 versions+21

▶CVEListV5red_hat_inc/cephall versions in branches master, mimic, luminous and jewel

Also affects: Debian Linux 9.0

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-58jc-hvg4-pxxm: A flaw was found in the way ceph mon handles user requests↗2022-05-13

▶

OSV

CVE-2018-10861: A flaw was found in the way ceph mon handles user requests↗2018-07-10

▶

CVEList

CVE-2018-10861: A flaw was found in the way ceph mon handles user requests↗2018-07-10

▶

📋Vendor Advisories

Red Hat

ceph: ceph-mon does not perform authorization on OSD pool ops↗2018-07-09

▶

Debian

CVE-2018-10861: ceph - A flaw was found in the way ceph mon handles user requests. Any authenticated ce...↗2018

▶

💬Community

Bugzilla

CVE-2018-10861 ceph: ceph-mon does not perform authorization on OSD pool ops [fedora-all]↗2018-07-09

▶

Bugzilla

CVE-2018-10861 ceph: ceph-mon does not perform authorization on OSD pool ops↗2018-06-20

▶