diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 18:45:59 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 18:45:59 +0000 |
| commit | 19fcec84d8d7d21e796c7624e521b60d28ee21ed (patch) | |
| tree | 42d26aa27d1e3f7c0b8bd3fd14e7d7082f5008dc /doc/security/CVE-2021-3524.rst | |
| parent | Initial commit. (diff) | |
| download | ceph-19fcec84d8d7d21e796c7624e521b60d28ee21ed.tar.xz ceph-19fcec84d8d7d21e796c7624e521b60d28ee21ed.zip | |
Adding upstream version 16.2.11+ds.upstream/16.2.11+dsupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/security/CVE-2021-3524.rst')
| -rw-r--r-- | doc/security/CVE-2021-3524.rst | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/doc/security/CVE-2021-3524.rst b/doc/security/CVE-2021-3524.rst new file mode 100644 index 000000000..4d627c071 --- /dev/null +++ b/doc/security/CVE-2021-3524.rst @@ -0,0 +1,30 @@ +.. _CVE-2021-3524: + +CVE-2021-3524: HTTP header injects via CORS in RGW +================================================== + +* `NIST information page <https://nvd.nist.gov/vuln/detail/CVE-2021-3524>`_ + +A flaw was found in the radosgw. The vulnerability is related to the +injection of HTTP headers via a CORS ExposeHeader tag. The \r +character in the ExposeHeader tag in the CORS configuration file +generates a header injection in the response when the CORS request is +made. + +Fixed versions +-------------- + +* Pacific v16.2.4 (and later) +* Octopus v15.2.12 (and later) +* Nautilus v14.2.21 (and later) + +Recommendations +--------------- + +All users of Ceph object storage (RGW) should upgrade. + +Acknowledgements +---------------- + +Red Hat would like to thank Sergey Bobrov (Kaspersky) for reporting this issue. + |