CVE-2019-3821Missing Release of Resource after Effective Lifetime in Civetweb

CWE-772Missing Release of Resource after Effective Lifetime9 documents7 sources
Severity
7.5HIGHNVD
OSV5.7
EPSS
0.9%
top 24.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Ceph CivetwebRedhat CephCanonical Ubuntu Linux+1 more
Timeline
PublishedMar 27
Latest updateMay 13

Description

A flaw was found in the way civetweb frontend was handling requests for ceph RGW server with SSL enabled. An unauthenticated attacker could create multiple connections to ceph RADOS gateway to exhaust file descriptors for ceph-radosgw service resulting in a remote denial of service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDceph/civetweb< 1.11
Ubunturedhat/ceph< 10.2.11-0ubuntu0.16.04.2
debiandebian/ceph

Also affects: Ubuntu Linux 16.04, 18.10, 19.04

🔴Vulnerability Details

3
GHSA
GHSA-24mx-5rm6-qcm5: A flaw was found in the way civetweb frontend was handling requests for ceph RGW server with SSL enabled2022-05-13
OSV
ceph vulnerabilities2019-06-25
OSV
CVE-2019-3821: A flaw was found in the way civetweb frontend was handling requests for ceph RGW server with SSL enabled2019-03-27

📋Vendor Advisories

3
Ubuntu
Ceph vulnerabilities2019-06-25
Red Hat
ceph: radosgw: Resource exhaustion via TCP connection to port serving the SSL endpoint2019-02-11
Debian
CVE-2019-3821: ceph - A flaw was found in the way civetweb frontend was handling requests for ceph RGW...2019

💬Community

2
Bugzilla
CVE-2019-3821 ceph: radosgw: Resource exhaustion via TCP connection to port serving the SSL endpoint [fedora-all]2019-02-11
Bugzilla
CVE-2019-3821 ceph: radosgw: Resource exhaustion via TCP connection to port serving the SSL endpoint2018-12-06