A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.
Metrics
Affected Vendors & Products
Advisories
Source | ID | Title |
---|---|---|
![]() |
DLA-2735-1 | ceph security update |
![]() |
DLA-3629-1 | ceph security update |
![]() |
EUVD-2021-26840 | A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created. |
![]() |
USN-4998-1 | Ceph vulnerabilities |
![]() |
USN-5128-1 | Ceph vulnerabilities |
![]() |
USN-7706-1 | Ceph vulnerabilities |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
No history.

Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2024-08-03T17:01:06.034Z
Reserved: 2021-04-30T00:00:00
Link: CVE-2021-3524

No data.

Status : Modified
Published: 2021-05-17T17:15:08.773
Modified: 2024-11-21T06:21:45.760
Link: CVE-2021-3524


No data.