VDB
CVE-2021-3524
CVE-2021-3524
PUBLISHED
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.
EPSS 0.86% · 75.4th percentile
Risk Scores
EPSS Score
0.86%
75.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:16.04:LTS | ceph | 0, 0.94.3-0ubuntu2, 0.94.5-0ubuntu1 |
| Ubuntu:20.04:LTS | ceph | 15.2.7-0ubuntu0.20.04.1, 14.2.2-0ubuntu3, 14.2.2-0ubuntu4 |
| Ubuntu:18.04:LTS | ceph | 12.2.13-0ubuntu0.18.04.3, 12.2.7-0ubuntu0.18.04.1, 12.2.12-0ubuntu0.18.04.4 |
Exploit Intelligence
- https://bugzilla.redhat.com/show_bug.cgi?id=1951674 (circl)
- FEDORA-2021-ec414c5e18 (circl)
- FEDORA-2021-6e540b85b9 (circl)
- FEDORA-2021-1bf13db941 (circl)
- [debian-lts-announce] 20210810 [SECURITY] [DLA 2735-1] ceph security update (circl)
- [debian-lts-announce] 20231023 [SECURITY] [DLA 3629-1] ceph security update (circl)
Timeline
- May 17, 2021 CVE Published
- May 18, 2021 EPSS Score
- Jul 21, 2021 EPSS Score
- Nov 21, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Jan 21, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 24, 2022 EPSS Score
- Jul 26, 2022 EPSS Score
- Sep 25, 2022 EPSS Score
- Jan 27, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-3524 third-party-advisory
- https://ubuntu.com/security/notices/USN-4998-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-5128-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-3524 third-party-advisory
- https://ubuntu.com/security/notices/USN-7706-1 vendor-advisory