PublicDateAtUSN: 2020-06-22 18:15:00 UTC
Candidate: CVE-2020-10736
PublicDate: 2020-06-22 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10736
 https://ceph.io/releases/v15-2-2-octopus-released/
 https://ubuntu.com/security/notices/USN-4706-1
Description:
 An authorization bypass vulnerability was found in Ceph versions 15.2.0
 before 15.2.2, where the ceph-mon and ceph-mgr daemons do not properly
 restrict access, resulting in gaining access to unauthorized resources.
 This flaw allows an authenticated client to modify the configuration and
 possibly conduct further attacks.
Ubuntu-Description:
Notes:
 mdeslaur> introduced in 15.2.0
 mdeslaur> fixed in 15.2.3-0ubuntu0.20.04.1 in focal-updates, but not yet
 mdeslaur> in security pocket.
Mitigation:
Bugs:
Priority: medium
Discovered-by: Olle Segerdahl
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.0 HIGH]


Patches_ceph:
 upstream: https://github.com/ceph/ceph/commit/c7e7009a690621aacd4ac2c70c6469f25d692868 (master)
 upstream: https://github.com/ceph/ceph/commit/f2cf2ce1bd9a86462510a7a12afa4e528b615df2 (v15.2.2)
upstream_ceph: released (15.2.2)
precise/esm_ceph: not-affected (code not present)
trusty_ceph: ignored (out of standard support)
trusty/esm_ceph: not-affected (code not present)
xenial_ceph: not-affected (code not present)
esm-infra/xenial_ceph: not-affected (code not present)
bionic_ceph: not-affected (code not present)
eoan_ceph: ignored (reached end-of-life)
focal_ceph: released (15.2.7-0ubuntu0.20.04.2)
groovy_ceph: released (15.2.3-0ubuntu1)
devel_ceph: released (15.2.3-0ubuntu1)