Your submission was sent successfully! Close

CVE-2020-10736

Published: 22 June 2020

An authorization bypass vulnerability was found in Ceph versions 15.2.0 before 15.2.2, where the ceph-mon and ceph-mgr daemons do not properly restrict access, resulting in gaining access to unauthorized resources. This flaw allows an authenticated client to modify the configuration and possibly conduct further attacks.

Priority

Medium

CVSS 3 base score: 8.0

Status

Package Release Status
ceph
Launchpad, Ubuntu, Debian
Upstream
Released (15.2.2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (15.2.7-0ubuntu0.20.04.2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code not present)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Patches:
Upstream: https://github.com/ceph/ceph/commit/c7e7009a690621aacd4ac2c70c6469f25d692868 (master)
Upstream: https://github.com/ceph/ceph/commit/f2cf2ce1bd9a86462510a7a12afa4e528b615df2 (v15.2.2)

Notes

AuthorNote
mdeslaur
introduced in 15.2.0
fixed in 15.2.3-0ubuntu0.20.04.1 in focal-updates, but not yet
in security pocket.

References