{"containers": {"cna": {"affected": [{"product": "ceph", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "1.3 and 2"}]}], "datePublic": "2016-12-08T00:00:00", "descriptions": [{"lang": "en", "value": "A flaw was found in the way Ceph Object Gateway would process cross-origin HTTP requests if the CORS policy was set to allow origin on a bucket. A remote unauthenticated attacker could use this flaw to cause denial of service by sending a specially-crafted cross-origin HTTP request. Ceph branches 1.3.x and 2.x are affected."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-08-02T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2016:2954", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2954.html"}, {"name": "RHSA-2016:2995", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2995.html"}, {"name": "94936", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94936"}, {"name": "RHSA-2016:2994", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2994.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://tracker.ceph.com/issues/18187"}, {"name": "RHSA-2016:2956", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2956.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9579"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T02:59:01.690Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2016:2954", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2954.html"}, {"name": "RHSA-2016:2995", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2995.html"}, {"name": "94936", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94936"}, {"name": "RHSA-2016:2994", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2994.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://tracker.ceph.com/issues/18187"}, {"name": "RHSA-2016:2956", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2956.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9579"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-9579", "datePublished": "2018-08-01T16:00:00", "dateReserved": "2016-11-23T00:00:00", "dateUpdated": "2024-08-06T02:59:01.690Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ceph_storage:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "26E67C3A-4458-4DC9-B40E-C0B285C87211", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ceph_storage_mon:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "01F0F540-E08A-43DB-AD86-7FD8B212BFCB", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ceph_storage_mon:2:*:*:*:*:*:*:*", "matchCriteriaId": "8C2EBAD9-F0D5-4176-9C4D-001B230E699E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ceph_storage_osd:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "6ECF4DC0-ECE3-40C0-ABF3-A8E17C17589C", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ceph_storage_osd:2:*:*:*:*:*:*:*", "matchCriteriaId": "AA5F5227-DBDA-4C01-BF7C-4D53F455404F", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ceph_storage:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "D07DF15E-FE6B-4DAF-99BB-2147CF7D7EEA", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ceph_storage:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "26E67C3A-4458-4DC9-B40E-C0B285C87211", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the way Ceph Object Gateway would process cross-origin HTTP requests if the CORS policy was set to allow origin on a bucket. A remote unauthenticated attacker could use this flaw to cause denial of service by sending a specially-crafted cross-origin HTTP request. Ceph branches 1.3.x and 2.x are affected."}, {"lang": "es", "value": "Se ha encontrado un error en la forma en la que Ceph Object Gateway procesa peticiones HTTP cross-origin si la pol\u00edtica CORS est\u00e1 configurada para permitir el origen en un bucket. Un atacante remoto no autenticado podr\u00eda utilizar este problema para provocar una denegaci\u00f3n de servicio (DoS) mediante el env\u00edo de una petici\u00f3n HTTP cross-origin especialmente manipulada. Las ramas de Ceph 1.3.x y 2.x se han visto afectadas."}], "id": "CVE-2016-9579", "lastModified": "2024-11-21T03:01:25.820", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-01T16:29:00.427", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2954.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2956.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2994.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2995.html"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "http://tracker.ceph.com/issues/18187"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94936"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9579"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2954.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2956.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2994.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2995.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "http://tracker.ceph.com/issues/18187"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94936"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9579"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2016:2994", "cpe": "cpe:/a:redhat:ceph_storage:1.3::el7", "package": "ceph-1:0.94.9-9.el7cp", "product_name": "Red Hat Ceph Storage 1.3 for Red Hat Enterprise Linux 7", "release_date": "2016-12-21T00:00:00Z"}, {"advisory": "RHSA-2016:2995", "cpe": "cpe:/a:redhat:ceph_storage:1.3::ubuntu:14.04", "product_name": "Red Hat Ceph Storage 1.3 for Ubuntu", "release_date": "2016-12-21T00:00:00Z"}, {"advisory": "RHSA-2016:2954", "cpe": "cpe:/a:redhat:ceph_storage:2::el7", "package": "ceph-1:10.2.3-17.el7cp", "product_name": "Red Hat Ceph Storage 2 for Red Hat Enterprise Linux 7", "release_date": "2016-12-15T00:00:00Z"}, {"advisory": "RHSA-2016:2956", "cpe": "cpe:/a:redhat:ceph_storage:2::ubuntu16.04", "product_name": "Red Hat Ceph Storage 2 for Ubuntu", "release_date": "2016-12-15T00:00:00Z"}], "bugzilla": {"description": "ceph: Object Gateway server DoS by sending invalid cross-origin HTTP request", "id": "1403245", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1403245"}, "csaw": false, "cvss": {"cvss_base_score": "5.0", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "verified"}, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["A flaw was found in the way Ceph Object Gateway would process cross-origin HTTP requests if the CORS policy was set to allow origin on a bucket. A remote unauthenticated attacker could use this flaw to cause denial of service by sending a specially-crafted cross-origin HTTP request. Ceph branches 1.3.x and 2.x are affected.", "A flaw was found in the way Ceph Object Gateway would process cross-origin HTTP requests if the CORS policy was set to allow origin on a bucket. A remote unauthenticated attacker could use this flaw to cause denial of service by sending a specially-crafted cross-origin HTTP request."], "name": "CVE-2016-9579", "package_state": [{"cpe": "cpe:/a:redhat:openstack:5::el6", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)"}, {"cpe": "cpe:/a:redhat:openstack:6", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)"}, {"cpe": "cpe:/a:redhat:openstack-installer:6", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6 (Juno) Installer"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "puppet-ceph", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}], "public_date": "2016-12-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-9579\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-9579"], "threat_severity": "Moderate"}