Date: Thu, 25 Jun 2020 21:07:17 +0200 From: Przemyslaw Roguski <proguski@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2020-10753 ceph: radosgw: HTTP header injection via CORS ExposeHeader tag Hello Team, A flaw was found in the Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. This issue affects the RadosGW S3 API, it does not affect the Swift API. This flaw affects Nautilus and Octopus based versions. Red Hat has assigned CVE-2020-10753 and rated it as Moderate impact flaw. PR: https://github.com/ceph/ceph/pull/35773 Patch: https://github.com/ceph/ceph/pull/35773/commits/1524d3c0c5cb11775313ea1e2bb36a93257947f2 The fix will be included in the Octopus version in the coming days. Credit: William Bowling Best Regards, Przemyslaw Roguski / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.