CVE-2024-48916 — HIGH (8.1)

Vulnerability Description

Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Related Weaknesses (CWE)

CWE-345

References

https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq

FAQ

What is CVE-2024-48916?

CVE-2024-48916 is a vulnerability with a CVSS score of 8.1 (HIGH). Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked...

How severe is CVE-2024-48916?

CVE-2024-48916 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-48916?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.