CVE-2020-1760

CWE-79Cross-site Scripting (XSS)10 documents8 sources
Severity
6.1MEDIUM
EPSS
0.4%
top 42.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Linuxfoundation Ceph[unknown] CephCanonical Ubuntu Linux+4 more
Timeline
PublishedApr 23
Latest updateMay 24

Description

A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:LExploitability: 1.6 | Impact: 3.7

Affected Packages4 packages

NVDlinuxfoundation/ceph< 14.2.21
Debianceph< 14.2.9-1+3
CVEListV5[unknown]/ceph13.2.9, 14.2.9, 15.2.1+2
NVDredhat/ceph_storage3.0, 4.0+1

Also affects: Debian Linux 9.0, Fedora 31, Ubuntu Linux 16.04, 18.04, Openshift Container Platform 4.2

Patches

Patch: www.openwall.comPatch: www.openwall.com

🔴Vulnerability Details

4
GHSA
GHSA-gj74-48rr-85f7: A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S32022-05-24
OSV
ceph vulnerabilities2020-09-22
CVEList
CVE-2020-1760: A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S32020-04-23
OSV
CVE-2020-1760: A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S32020-04-23

📋Vendor Advisories

3
Ubuntu
Ceph vulnerabilities2020-09-22
Red Hat
ceph: header-splitting in RGW GetObject has a possible XSS2020-04-06
Debian
CVE-2020-1760: ceph - A flaw was found in the Ceph Object Gateway, where it supports request sent by a...2020

💬Community

2
Bugzilla
CVE-2020-1760 ceph: header-splitting in RGW GetObject has a possible XSS [fedora-all]2020-04-07
Bugzilla
CVE-2020-1760 ceph: header-splitting in RGW GetObject has a possible XSS2020-03-12
CVE-2020-1760 (MEDIUM CVSS 6.1) | A flaw was found in the Ceph Object | cvebase.io