Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2021-20288

Опубликовано: 15 апр. 2021
Источник: nvd
CVSS3: 7.2
CVSS2: 6.5
EPSS Низкий

Описание

An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:linuxfoundation:ceph:*:*:*:*:*:*:*:*
Версия до 14.2.21 (исключая)
Конфигурация 2
cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*
Конфигурация 3

Одно из

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Конфигурация 4
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 40%
0.00179
Низкий

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-287
CWE-287

Связанные уязвимости

ubuntu логотип

CVE-2021-20288

CVSS3: 7.2
ubuntu
почти 5 лет назад

An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

redhat логотип

CVE-2021-20288

CVSS3: 8
redhat
почти 5 лет назад

An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

debian логотип

CVE-2021-20288

CVSS3: 7.2
debian
почти 5 лет назад

An authentication flaw was found in ceph in versions before 14.2.20. W ...

suse-cvrf логотип

openSUSE-SU-2021:0672-1

suse-cvrf
почти 5 лет назад

Security update for ceph

suse-cvrf логотип

SUSE-SU-2021:1474-1

suse-cvrf
почти 5 лет назад

Security update for ceph

EPSS

Процентиль: 40%
0.00179
Низкий

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-287
CWE-287