AZL-65996

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-65996.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-65996

Upstream

CVE-2024-48916

Published

2025-07-30T20:15:33Z

Modified

2026-04-01T05:20:40.708786Z

Summary

CVE-2024-48916 affecting package ceph for versions less than 16.2.10-9

Details

Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-48916

Affected packages

Azure Linux:2 / ceph

Package

Name: ceph
Purl: pkg:rpm/azure-linux/ceph

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.2.10-9

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-65996.json"