CVE-2020-1760 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Cross-site scripting
Description	A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input. If the attacker knows the path to a publicly readable object on any RGW cluster and the object is at least large enough to cover the attack body then it is possible to run an XSS on any object.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1195	ceph	14.2.8-1	15.2.6-1	High	Fixed	FS#67047

Date	Advisory	Group	Package	Severity	Type
26 Nov 2020	ASA-202011-22	AVG-1195	ceph	High	multiple issues

References
https://docs.ceph.com/en/latest/releases/octopus/#v15-2-1-octopus https://docs.ceph.com/en/latest/releases/nautilus/#v14-2-9-nautilus https://www.openwall.com/lists/oss-security/2020/04/07/1 https://github.com/ceph/ceph/pull/34482 https://github.com/ceph/ceph/commit/fce0b267446d6f3f631bb4680ebc3527bbbea002 https://github.com/ceph/ceph/commit/87a63d1743ec6428b43cc5a5977fa5e90f50b7ed https://github.com/ceph/ceph/commit/c7da604cb101cbe78a257a29498a98c69964e0a6

References

https://docs.ceph.com/en/latest/releases/octopus/#v15-2-1-octopus
https://docs.ceph.com/en/latest/releases/nautilus/#v14-2-9-nautilus
https://www.openwall.com/lists/oss-security/2020/04/07/1
https://github.com/ceph/ceph/pull/34482
https://github.com/ceph/ceph/commit/fce0b267446d6f3f631bb4680ebc3527bbbea002
https://github.com/ceph/ceph/commit/87a63d1743ec6428b43cc5a5977fa5e90f50b7ed
https://github.com/ceph/ceph/commit/c7da604cb101cbe78a257a29498a98c69964e0a6