Arch Linux Security Advisory ASA-202105-3

Severity: High
Date    : 2021-05-19
CVE-ID  : CVE-2021-3509 CVE-2021-3524 CVE-2021-3531 CVE-2021-20288
Package : ceph
Type    : multiple issues
Remote  : Yes
Link    :


The package ceph before version 15.2.12-1 is vulnerable to multiple
issues including insufficient validation, cross-site scripting, denial
of service and url request injection.


Upgrade to 15.2.12-1.

# pacman -Syu "ceph>=15.2.12-1"

The problems have been fixed upstream in version 15.2.12.




- CVE-2021-3509 (cross-site scripting)

A security issue was found in ceph before version 15.2.12. In order to
make the JWT token inaccessible through cross-site scripting (XSS), it
was moved from localStorage to httpOnly Cookie (CVE-2020-27839). But
token cookies are used in the body of the HTTP response for the
documentation, which again makes it available to XSS.

- CVE-2021-3524 (url request injection)

A security issue was found in the Red Hat Ceph Storage RadosGW (Ceph
Object Gateway) before version 15.2.12. The vulnerability is related to
the injection of HTTP headers via a CORS ExposeHeader tag. The newline
character in the ExposeHeader tag in the CORS configuration file
generates a header injection in the response when the CORS request is

In addition, the prior bug fix for CVE-2020-10753 did not account for
the use of \r as a header separator, thus a new flaw has been created.

- CVE-2021-3531 (denial of service)

A security issue was found in the Red Hat Ceph Storage RGW before
version 15.2.12. When processing a GET Request for a swift URL that
ends with two slashes it can cause the rgw to crash, resulting in a
denial of service.

- CVE-2021-20288 (insufficient validation)

An authentication flaw was found in ceph before version 15.2.11. When
the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't
sanitize other_keys, allowing key reuse. An attacker who can request a
global_id can exploit the ability of any user to request a global_id
previously associated with another user, as ceph does not force the
reuse of old keys to generate new ones.


A remote attacker could obtain a user's access token using cross-site
scripting, inject headers into requests to bypass CORS, crash the
server using a crafted request, or reuse old authentication keys.