CVE-2024-31884 — Improper Certificate Validation in Ceph

CWE-295 — Improper Certificate Validation6 documents5 sources

Severity

7.5HIGHOSV

No vector

EPSS

No EPSS data

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Ceph

Timeline

PublishedJan 20

Latest updateFeb 24

Description

pybind: Improper use of Pybind A flaw was found in Ceph. An attacker can allow Ceph to accept any certificate because no certificate context is passed via Pybind to the constructors imaplib.IMAP4_SSL or smtplib.SMTP_SSL. As a result, pybind pybind does not check the server's X.509 certificate, instead accepting any certificate. This enables an attacker to commit a Man In the Middle (MITM) attack, compromising mail server credentials or mail contents Mitigation: Mitigation for this issue is eit…

Affected Packages1 packages

▶debiandebian/ceph< ceph 14.2.21-1+deb11u3 (bullseye)

🔴Vulnerability Details

OSV

ceph vulnerabilities↗2026-02-24

▶

OSV

CVE-2024-31884: Incorrect usage of certificate checking via Pybind↗2026-01-21

▶

📋Vendor Advisories

Ubuntu

Ceph vulnerabilities↗2026-02-24

▶

Red Hat

pybind: Improper use of Pybind↗2026-01-20

▶

Debian

CVE-2024-31884: ceph↗2024

▶

🕵️Threat Intelligence

Wiz

CVE-2024-31884 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶