PublicDateAtUSN: 2020-04-23 15:15:00 UTC
Candidate: CVE-2020-1760
PublicDate: 2020-04-23 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1760
 https://www.openwall.com/lists/oss-security/2020/04/07/1
 https://ubuntu.com/security/notices/USN-4528-1
Description:
 A flaw was found in the Ceph Object Gateway, where it supports request sent
 by an anonymous user in Amazon S3. This flaw could lead to potential XSS
 attacks due to the lack of proper neutralization of untrusted input.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956142
Priority: medium
Discovered-by: Robin H. Johnson
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]


Patches_ceph:
 upstream: https://github.com/ceph/ceph-ci/commit/8aa1f77363ec32bdc57744a143035033291ab5e1
 upstream: https://github.com/ceph/ceph-ci/commit/18eb4d918b27d362312c29a3bbd57a421897c0a5
 upstream: https://github.com/ceph/ceph-ci/commit/1bf14094fec34770d2cc74317f4238ccb2dfef98
 upstream: https://github.com/ceph/ceph/commit/ba0790a01ba5252db1ebc299db6e12cd758d0ff9 (13.2.9)
 upstream: https://github.com/ceph/ceph/commit/607a65fccd8a80c2f2c74853a6dc5c14ed8a75c1 (13.2.9)
 upstream: https://github.com/ceph/ceph/commit/9ca5b3628245e2878426602bb24f1a4e45edc850 (13.2.9)
upstream_ceph: released (15.2.1)
precise/esm_ceph: ignored (end of ESM support, was needs-triage)
trusty_ceph: ignored (out of standard support)
trusty/esm_ceph: needed
xenial_ceph: released (10.2.11-0ubuntu0.16.04.3)
esm-infra/xenial_ceph: released (10.2.11-0ubuntu0.16.04.3)
bionic_ceph: released (12.2.13-0ubuntu0.18.04.4)
eoan_ceph: ignored (reached end-of-life)
focal_ceph: not-affected (15.2.1-0ubuntu1)
groovy_ceph: not-affected (15.2.1-0ubuntu2)
hirsute_ceph: not-affected (15.2.1-0ubuntu2)
impish_ceph: not-affected (15.2.1-0ubuntu2)
jammy_ceph: not-affected (15.2.1-0ubuntu2)
devel_ceph: not-affected (15.2.1-0ubuntu2)