blob: 4d627c07176c7834bd81c3866355c249fc4d0bed (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
.. _CVE-2021-3524:
CVE-2021-3524: HTTP header injects via CORS in RGW
==================================================
* `NIST information page <https://nvd.nist.gov/vuln/detail/CVE-2021-3524>`_
A flaw was found in the radosgw. The vulnerability is related to the
injection of HTTP headers via a CORS ExposeHeader tag. The \r
character in the ExposeHeader tag in the CORS configuration file
generates a header injection in the response when the CORS request is
made.
Fixed versions
--------------
* Pacific v16.2.4 (and later)
* Octopus v15.2.12 (and later)
* Nautilus v14.2.21 (and later)
Recommendations
---------------
All users of Ceph object storage (RGW) should upgrade.
Acknowledgements
----------------
Red Hat would like to thank Sergey Bobrov (Kaspersky) for reporting this issue.
|
