CVE-2021-3524 - log back

CVE-2021-3524 edited at 14 May 2021 19:35:23
Description
- A security issue was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made.
+ A security issue was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) before version 15.2.12. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made.
In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.
CVE-2021-3524 edited at 14 May 2021 19:26:48
References
https://bugzilla.redhat.com/show_bug.cgi?id=1951674
+ https://github.com/ceph/ceph/commit/94f7c87a78b05ec856a5ee1ff62af136331776a3
CVE-2021-3524 edited at 01 May 2021 10:08:49
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Url request injection
Description
+ A security issue was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made.
+
+ In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1951674
Notes
CVE-2021-3524 created at 01 May 2021 10:07:13