mirror of https://github.com/ceph/ceph
31 lines
804 B
ReStructuredText
31 lines
804 B
ReStructuredText
|
.. _CVE-2021-3524:
|
||
|
|
||
|
CVE-2021-3524: HTTP header injects via CORS in RGW
|
||
|
==================================================
|
||
|
|
||
|
* `NIST information page <https://nvd.nist.gov/vuln/detail/CVE-2021-3524>`_
|
||
|
|
||
|
A flaw was found in the radosgw. The vulnerability is related to the
|
||
|
injection of HTTP headers via a CORS ExposeHeader tag. The \r
|
||
|
character in the ExposeHeader tag in the CORS configuration file
|
||
|
generates a header injection in the response when the CORS request is
|
||
|
made.
|
||
|
|
||
|
Fixed versions
|
||
|
--------------
|
||
|
|
||
|
* Pacific v16.2.4 (and later)
|
||
|
* Octopus v15.2.12 (and later)
|
||
|
* Nautilus v14.2.21 (and later)
|
||
|
|
||
|
Recommendations
|
||
|
---------------
|
||
|
|
||
|
All users of Ceph object storage (RGW) should upgrade.
|
||
|
|
||
|
Acknowledgements
|
||
|
----------------
|
||
|
|
||
|
Red Hat would like to thank Sergey Bobrov (Kaspersky) for reporting this issue.
|
||
|
|