A vulnerability in the Ceph Rados Gateway (RadosGW) OIDC provider allows attackers to bypass JWT signature verification by supplying a token with "none" as the algorithm (alg). This occurs because the implementation fails to enforce strict signature validation, enabling attackers to forge valid tokens without a signature.
History

Thu, 12 Dec 2024 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat ceph Storage
CPEs cpe:/a:redhat:ceph_storage:8.0::el9
Vendors & Products Redhat
Redhat ceph Storage

Tue, 03 Dec 2024 14:45:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A vulnerability in the Ceph Rados Gateway (RadosGW) OIDC provider allows attackers to bypass JWT signature verification by supplying a token with "none" as the algorithm (alg). This occurs because the implementation fails to enforce strict signature validation, enabling attackers to forge valid tokens without a signature.

Mon, 02 Dec 2024 14:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title ceph: rhceph-container: Authentication bypass in CEPH RadosGW
Weaknesses CWE-345
References
Metrics threat_severity

None

threat_severity

Important


cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2024-12-02T00:00:00Z

Links: CVE-2024-48916 - Bugzilla