Launchpad.net

CVE 2021-3524

A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.

Related bugs and status

CVE-2021-3524 (Candidate) is related to these bugs:

Bug #1928645: [SRU] ceph 16.2.4

		In	Importance	Status
1928645	[SRU] ceph 16.2.4	ceph (Ubuntu)	High	Fix Released
1928645	[SRU] ceph 16.2.4	ceph (Ubuntu Impish)	High	Fix Released
1928645	[SRU] ceph 16.2.4	ceph (Ubuntu Hirsute)	High	Fix Released
1928645	[SRU] ceph 16.2.4	Ubuntu Cloud Archive	High	Fix Released
1928645	[SRU] ceph 16.2.4	Ubuntu Cloud Archive wallaby	High	Fix Released
1928645	[SRU] ceph 16.2.4	Ubuntu Cloud Archive xena	High	Fix Released

Bug #1929179: [SRU] ceph 15.2.12

		In	Importance	Status
1929179	[SRU] ceph 15.2.12	ceph (Ubuntu)	Undecided	Invalid
1929179	[SRU] ceph 15.2.12	ceph (Ubuntu Groovy)	High	Fix Released
1929179	[SRU] ceph 15.2.12	ceph (Ubuntu Focal)	High	Fix Released
1929179	[SRU] ceph 15.2.12	Ubuntu Cloud Archive	Undecided	Invalid
1929179	[SRU] ceph 15.2.12	Ubuntu Cloud Archive ussuri	High	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2021-3524

Related bugs and status

Related bugs

References