OpenCVE

IBM Storage Ceph 5.3z1, 5.3z5, and 6.1z1 could allow an authenticated user on the network to cause a denial of service from RGW. IBM X-Force ID: 268906.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Storage Ceph
Redhat	Ceph Storage

Configuration 1 [-]

OR	cpe:2.3:a:ibm:storage_ceph:5.3z1:::::::*
	cpe:2.3:a:ibm:storage_ceph:5.3z5:::::::*
	cpe:2.3:a:ibm:storage_ceph:6.1z1:::::::*

Package	CPE	Advisory	Released Date
Red Hat Ceph Storage 5.3
ceph-2:16.2.10-248.el9cp	cpe:/a:redhat:ceph_storage:5.3::el8	RHSA-2024:0745	2024-02-08T00:00:00Z
ceph-ansible-0:6.0.28.7-1.el8cp	cpe:/a:redhat:ceph_storage:5.3::el8	RHSA-2024:0745	2024-02-08T00:00:00Z
haproxy-0:2.2.19-5.el8cp	cpe:/a:redhat:ceph_storage:5.3::el8	RHSA-2024:0745	2024-02-08T00:00:00Z
Red Hat Ceph Storage 6.1
ceph-2:17.2.6-148.el9cp	cpe:/a:redhat:ceph_storage:6.1::el9	RHSA-2023:5693	2023-10-12T00:00:00Z
cephadm-ansible-0:3.0.0-1.el9cp	cpe:/a:redhat:ceph_storage:6.1::el9	RHSA-2023:5693	2023-10-12T00:00:00Z

References

Link	Providers
https://exchange.xforce.ibmcloud.com/vulnerabilities/268906
https://nvd.nist.gov/vuln/detail/CVE-2023-46159
https://www.cve.org/CVERecord?id=CVE-2023-46159
https://www.ibm.com/support/pages/node/7112263

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2024-02-02T02:28:51.876Z

Updated: 2024-08-22T14:17:41.397Z

Reserved: 2023-10-17T22:30:15.072Z

Link: CVE-2023-46159

Vulnrichment

Updated: 2024-08-02T20:37:39.768Z

NVD

Status : Modified

Published: 2024-02-02T03:15:09.920

Modified: 2024-11-21T08:28:00.460

Link: CVE-2023-46159

Redhat

Severity : Low

Publid Date: 2023-10-03T00:00:00Z

Links: CVE-2023-46159 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46159", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2023-10-17T22:30:15.072Z", "datePublished": "2024-02-02T02:28:51.876Z", "dateUpdated": "2024-08-22T14:17:41.397Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Storage Ceph", "vendor": "IBM", "versions": [{"status": "affected", "version": "5.3z1, 5.3z5, 6.1z1"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IBM Storage Ceph 5.3z1, 5.3z5, and 6.1z1 could allow an authenticated user on the network to cause a denial of service from RGW. IBM X-Force ID: 268906."}], "value": "IBM Storage Ceph 5.3z1, 5.3z5, and 6.1z1 could allow an authenticated user on the network to cause a denial of service from RGW. IBM X-Force ID: 268906."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2024-02-02T02:28:51.876Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.ibm.com/support/pages/node/7112263"}, {"tags": ["vdb-entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268906"}], "source": {"discovery": "UNKNOWN"}, "title": "IBM Storage Ceph denial of service", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:37:39.768Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.ibm.com/support/pages/node/7112263"}, {"tags": ["vdb-entry", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268906"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-22T14:17:32.627149Z", "id": "CVE-2023-46159", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T14:17:41.397Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.ibm.com/support/pages/node/7112263", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268906", "tags": ["vdb-entry", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:37:39.768Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-46159", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-22T14:17:32.627149Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T14:17:37.315Z"}}], "cna": {"title": "IBM Storage Ceph denial of service", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "IBM", "product": "Storage Ceph", "versions": [{"status": "affected", "version": "5.3z1, 5.3z5, 6.1z1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.ibm.com/support/pages/node/7112263", "tags": ["vendor-advisory"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268906", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "IBM Storage Ceph 5.3z1, 5.3z5, and 6.1z1 could allow an authenticated user on the network to cause a denial of service from RGW. IBM X-Force ID: 268906.", "supportingMedia": [{"type": "text/html", "value": "IBM Storage Ceph 5.3z1, 5.3z5, and 6.1z1 could allow an authenticated user on the network to cause a denial of service from RGW. IBM X-Force ID: 268906.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2024-02-02T02:28:51.876Z"}}}, "cveMetadata": {"cveId": "CVE-2023-46159", "state": "PUBLISHED", "dateUpdated": "2024-08-22T14:17:41.397Z", "dateReserved": "2023-10-17T22:30:15.072Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2024-02-02T02:28:51.876Z", "assignerShortName": "ibm"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:storage_ceph:5.3z1:*:*:*:*:*:*:*", "matchCriteriaId": "A95784B2-A37B-4BB6-8F58-5BC850E2C807", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:storage_ceph:5.3z5:*:*:*:*:*:*:*", "matchCriteriaId": "4890230F-9EA1-4687-B1D4-B361CDAA4E5E", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:storage_ceph:6.1z1:*:*:*:*:*:*:*", "matchCriteriaId": "B7387F66-87B3-4DCC-837C-54F0BC8FBC4E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "IBM Storage Ceph 5.3z1, 5.3z5, and 6.1z1 could allow an authenticated user on the network to cause a denial of service from RGW. IBM X-Force ID: 268906."}, {"lang": "es", "value": "IBM Storage Ceph 5.3z1, 5.3z5 y 6.1z1 podr\u00eda permitir que un usuario autenticado en la red provoque una denegaci\u00f3n de servicio por parte de RGW. ID de IBM X-Force: 268906."}], "id": "CVE-2023-46159", "lastModified": "2024-11-21T08:28:00.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "psirt@us.ibm.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-02T03:15:09.920", "references": [{"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268906"}, {"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7112263"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268906"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7112263"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@us.ibm.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:0745", "cpe": "cpe:/a:redhat:ceph_storage:5.3::el8", "package": "ceph-2:16.2.10-248.el9cp", "product_name": "Red Hat Ceph Storage 5.3", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0745", "cpe": "cpe:/a:redhat:ceph_storage:5.3::el8", "package": "ceph-ansible-0:6.0.28.7-1.el8cp", "product_name": "Red Hat Ceph Storage 5.3", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0745", "cpe": "cpe:/a:redhat:ceph_storage:5.3::el8", "package": "haproxy-0:2.2.19-5.el8cp", "product_name": "Red Hat Ceph Storage 5.3", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2023:5693", "cpe": "cpe:/a:redhat:ceph_storage:6.1::el9", "package": "ceph-2:17.2.6-148.el9cp", "product_name": "Red Hat Ceph Storage 6.1", "release_date": "2023-10-12T00:00:00Z"}, {"advisory": "RHSA-2023:5693", "cpe": "cpe:/a:redhat:ceph_storage:6.1::el9", "package": "cephadm-ansible-0:3.0.0-1.el9cp", "product_name": "Red Hat Ceph Storage 6.1", "release_date": "2023-10-12T00:00:00Z"}], "bugzilla": {"description": "ceph: RGW crash upon misconfigured CORS rule", "id": "2215374", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215374"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.6", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-20", "details": ["IBM Storage Ceph 5.3z1, 5.3z5, and 6.1z1 could allow an authenticated user on the network to cause a denial of service from RGW. IBM X-Force ID: 268906.", "A flaw was found in Ceph. Certain misconfigurations of CORS rules in Ceph could result in a significantly large memory allocation. This issue can lead to RGW crashing and a denial of service from an authenticated user on the network."], "name": "CVE-2023-46159", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2023-10-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-46159\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-46159"], "statement": "Red Hat Enterprise Linux does not ship RGW, only the associated client libraries. Hence, versions of Ceph shipped in RHEL are not affected by this flaw.", "threat_severity": "Low"}