CVE-2019-19337 — Improper Input Validation in RED HAT Ceph Storage

CWE-20 — Improper Input Validation6 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 33.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Ceph Storage Redhat Ceph Storage

Timeline

PublishedDec 23

Latest updateMay 24

Description

A flaw was found in Red Hat Ceph Storage version 3 in the way the Ceph RADOS Gateway daemon handles S3 requests. An authenticated attacker can abuse this flaw by causing a remote denial of service by sending a specially crafted HTTP Content-Length header to the Ceph RADOS Gateway server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDredhat/ceph_storage3.3

▶CVEListV5red_hat/ceph_storageversion 3 (upstream versions of Ceph are not affected)

🔴Vulnerability Details

GHSA

GHSA-pg96-f95x-566r: A flaw was found in Red Hat Ceph Storage version 3 in the way the Ceph RADOS Gateway daemon handles S3 requests↗2022-05-24

▶

CVEList

CVE-2019-19337: A flaw was found in Red Hat Ceph Storage version 3 in the way the Ceph RADOS Gateway daemon handles S3 requests↗2019-12-23

▶

📋Vendor Advisories

Red Hat

ceph: denial of service in RGW daemon↗2019-12-19

▶

Debian

CVE-2019-19337: ceph - A flaw was found in Red Hat Ceph Storage version 3 in the way the Ceph RADOS Gat...↗2019

▶

💬Community

Bugzilla

CVE-2019-19337 ceph: denial of service in RGW daemon↗2019-12-09

▶