{"containers": {"cna": {"affected": [{"product": "ceph-dashboard", "vendor": "n/a", "versions": [{"status": "affected", "version": "as shipped in Red Hat Ceph Storage 4"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-26T23:56:39", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950116"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10ca"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2021-3509", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ceph-dashboard", "version": {"version_data": [{"version_value": "as shipped in Red Hat Ceph Storage 4"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1950116", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950116"}, {"name": "https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409", "refsource": "MISC", "url": "https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409"}, {"name": "https://github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10ca", "refsource": "MISC", "url": "https://github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10ca"}, {"name": "https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b", "refsource": "MISC", "url": "https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b"}, {"name": "https://github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27", "refsource": "MISC", "url": "https://github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T16:53:17.842Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950116"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10ca"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-3509", "datePublished": "2021-05-26T23:56:39", "dateReserved": "2021-04-20T00:00:00", "dateUpdated": "2024-08-03T16:53:17.842Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "D6E54096-5D45-4CB2-AC9A-DDB55BF2B94C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en Red Hat Ceph Storage 4, en el componente Dashboard. En respuesta a CVE-2020-27839, el token JWT fue movido de localStorage a una cookie httpOnly. Sin embargo, las cookies de token son usados en el cuerpo de la respuesta HTTP para la documentaci\u00f3n, que de nuevo lo pone a disposici\u00f3n de un ataque de tipo XSS. La mayor amenaza para el sistema es la confidencialidad, integridad y disponibilidad"}], "id": "CVE-2021-3509", "lastModified": "2024-11-21T06:21:42.887", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-27T00:15:08.577", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950116"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10ca"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950116"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10ca"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Sergey Bobrov (Kaspersky) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:2445", "cpe": "cpe:/a:redhat:ceph_storage:4::el7", "package": "ceph-2:14.2.11-181.el8cp", "product_name": "Red Hat Ceph Storage 4.2", "release_date": "2021-06-15T00:00:00Z"}], "bugzilla": {"description": "ceph-dashboard: Cross-site scripting via token Cookie", "id": "1950116", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950116"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-79", "details": ["A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability.", "A flaw was found in the Red Hat Ceph Storage Dashboard. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS. The greatest threat to the system is for confidentiality, integrity, and availability."], "name": "CVE-2021-3509", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Will not fix", "package_name": "ceph", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "ceph", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2021-05-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3509\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3509"], "statement": "Red Hat OpenStack Platform deployments use the ceph package directly from the Ceph channel; the RHOSP package will not be updated at this time.\nRed Hat OpenShift Container Storage (RHOCS) 4 shipped ceph package for the usage of RHOCS 4.2 only which has reached End of Life. The shipped version of ceph package is neither used nor supported with the release of RHOCS 4.3.\nRed Hat Ceph Storage (RHCS) 4 ships a version of ceph which has not been patched for CVE-2020-27839, and therefore, although not vulnerable to this specific flaw, would be vulnerable if CVE-2020-27839 were to be patched without recognition of the flaw.\nRed Hat Enterprise Linux 8 is not affected by this flaw as it does not include the ceph dashboard component.", "threat_severity": "Moderate", "upstream_fix": "pacific 16.2.3, octopus 15.2.11, nautilus 14.2.20"}