A vulnerability in the Ceph Rados Gateway (RadosGW) OIDC provider allows attackers to bypass JWT signature verification by supplying a token with "none" as the algorithm (alg). This occurs because the implementation fails to enforce strict signature validation, enabling attackers to forge valid tokens without a signature.
Metrics
Affected Vendors & Products
References
History
Thu, 12 Dec 2024 02:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat
Redhat ceph Storage |
|
CPEs | cpe:/a:redhat:ceph_storage:8.0::el9 | |
Vendors & Products |
Redhat
Redhat ceph Storage |
Tue, 03 Dec 2024 14:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | No description is available for this CVE. | A vulnerability in the Ceph Rados Gateway (RadosGW) OIDC provider allows attackers to bypass JWT signature verification by supplying a token with "none" as the algorithm (alg). This occurs because the implementation fails to enforce strict signature validation, enabling attackers to forge valid tokens without a signature. |
Mon, 02 Dec 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | No description is available for this CVE. | |
Title | ceph: rhceph-container: Authentication bypass in CEPH RadosGW | |
Weaknesses | CWE-345 | |
References |
| |
Metrics |
threat_severity
|
threat_severity
|
MITRE
No data.
Vulnrichment
No data.
NVD
No data.
Redhat