CVE-2018-16846

CWE-770Allocation without Limits10 documents8 sources
Severity
6.5MEDIUM
EPSS
4.6%
top 10.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Redhat Ceph[unknown] CephCanonical Ubuntu Linux+4 more
Timeline
PublishedJan 15
Latest updateMay 13

Description

It was found in Ceph versions before 13.2.4 that authenticated ceph RGW users can cause a denial of service against OMAPs holding bucket indices.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages7 packages

NVDredhat/ceph< 13.2.4
Debianceph< 12.2.11+dfsg1-1+3
Ubuntuceph< 10.2.11-0ubuntu0.16.04.2
CVEListV5[unknown]/ceph13.2.4
NVDredhat/ceph_storage2.0, 3.0+1

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 16.04, 18.10, 19.04

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
GHSA
GHSA-77fq-6x6c-cq7q: It was found in Ceph versions before 132022-05-13
OSV
ceph vulnerabilities2019-06-25
OSV
CVE-2018-16846: It was found in Ceph versions before 132019-01-15
CVEList
CVE-2018-16846: It was found in Ceph versions before 132019-01-15

📋Vendor Advisories

3
Ubuntu
Ceph vulnerabilities2019-06-25
Red Hat
ceph: ListBucket max-keys has no defined limit in the RGW codebase2019-01-07
Debian
CVE-2018-16846: ceph - It was found in Ceph versions before 13.2.4 that authenticated ceph RGW users ca...2018

💬Community

2
Bugzilla
CVE-2018-16846 ceph: ListBucket max-keys has no defined limit in the RGW codebase [fedora-all]2019-01-14
Bugzilla
CVE-2018-16846 ceph: ListBucket max-keys has no defined limit in the RGW codebase2018-10-30
CVE-2018-16846 (MEDIUM CVSS 6.5) | It was found in Ceph versions befor | cvebase.io