CVE-2020-1760
Published: 23 April 2020
A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.
Priority
Status
Package | Release | Status |
---|---|---|
ceph Launchpad, Ubuntu, Debian |
eoan |
Ignored
(end of life)
|
trusty |
Needed
|
|
upstream |
Released
(15.2.1)
|
|
impish |
Not vulnerable
(15.2.1-0ubuntu2)
|
|
focal |
Not vulnerable
(15.2.1-0ubuntu1)
|
|
groovy |
Not vulnerable
(15.2.1-0ubuntu2)
|
|
hirsute |
Not vulnerable
(15.2.1-0ubuntu2)
|
|
bionic |
Released
(12.2.13-0ubuntu0.18.04.4)
|
|
xenial |
Released
(10.2.11-0ubuntu0.16.04.3)
|
|
jammy |
Not vulnerable
(15.2.1-0ubuntu2)
|
|
kinetic |
Not vulnerable
(15.2.1-0ubuntu2)
|
|
lunar |
Not vulnerable
(15.2.1-0ubuntu2)
|
|
mantic |
Not vulnerable
(15.2.1-0ubuntu2)
|
|
Patches: upstream: https://github.com/ceph/ceph-ci/commit/8aa1f77363ec32bdc57744a143035033291ab5e1 upstream: https://github.com/ceph/ceph-ci/commit/18eb4d918b27d362312c29a3bbd57a421897c0a5 upstream: https://github.com/ceph/ceph-ci/commit/1bf14094fec34770d2cc74317f4238ccb2dfef98 upstream: https://github.com/ceph/ceph/commit/ba0790a01ba5252db1ebc299db6e12cd758d0ff9 upstream: https://github.com/ceph/ceph/commit/607a65fccd8a80c2f2c74853a6dc5c14ed8a75c1 upstream: https://github.com/ceph/ceph/commit/9ca5b3628245e2878426602bb24f1a4e45edc850 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |