CVE-2021-3509
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-3509
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3509.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-3509
- Related
- Published
- 2021-05-27T00:15:08Z
- Modified
- 2024-09-11T04:50:57.532373Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability.
- References
-
- https://bugzilla.redhat.com/show_bug.cgi?id=1950116
- https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409
- https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b
- https://github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10ca
- https://github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27
- https://security-tracker.debian.org/tracker/CVE-2021-3509
Affected packages
Debian:11 / ceph
Package
- Name
- ceph
- Purl
- pkg:deb/debian/ceph?arch=source
Debian:12 / ceph
Package
- Name
- ceph
- Purl
- pkg:deb/debian/ceph?arch=source
Debian:13 / ceph
Package
- Name
- ceph
- Purl
- pkg:deb/debian/ceph?arch=source
Git / github.com/ceph/ceph
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ceph/ceph
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixed
Affected versions
Other
BRI-nautilus
mark-v0.*
mark-v0.70-wip
v0.*
v0.1
v0.10
v0.11
v0.12
v0.13
v0.14
v0.15
v0.16
v0.16.1
v0.17
v0.18
v0.19
v0.2
v0.20
v0.21
v0.21.1
v0.21.2
v0.21.3
v0.22
v0.22.1
v0.22.2
v0.23
v0.23.1
v0.23.2
v0.24
v0.24.1
v0.24.2
v0.24.3
v0.25
v0.25.1
v0.25.2
v0.26
v0.27
v0.27.1
v0.28
v0.28.1
v0.28.2
v0.29
v0.29.1
v0.3
v0.30
v0.31
v0.32
v0.33
v0.34
v0.35
v0.36
v0.37
v0.38
v0.39
v0.4
v0.40
v0.41
v0.42
v0.42.1
v0.42.2
v0.43
v0.44
v0.44.1
v0.44.2
v0.45
v0.46
v0.47
v0.47.1
v0.47.2
v0.47.3
v0.48argonaut
v0.49
v0.5
v0.50
v0.51
v0.52
v0.53
v0.54
v0.55
v0.55.1
v0.56
v0.57
v0.58
v0.59
v0.6
v0.60
v0.61
v0.62
v0.63
v0.64
v0.65
v0.66
v0.67
v0.67-rc1
v0.67-rc2
v0.67-rc3
v0.68
v0.69
v0.7
v0.7.1
v0.7.2
v0.7.3
v0.70
v0.71
v0.72
v0.72-rc1
v0.73
v0.74
v0.75
v0.76
v0.77
v0.78
v0.79
v0.8
v0.80
v0.80-rc1
v0.81
v0.82
v0.83
v0.84
v0.85
v0.86
v0.87
v0.88
v0.89
v0.9
v0.90
v0.91
v0.92
v0.93
v0.94
v10.*
v10.0.0
v10.0.1
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.1.0
v10.1.1
v10.1.2
v10.2.0
v11.*
v11.0.0
v11.0.1
v11.0.2
v11.1.0
v12.*
v12.0.0
v12.0.1
v12.0.2
v12.0.3
v12.1.0
v12.1.1
v12.1.2
v13.*
v13.0.0
v13.0.1
v13.0.2
v13.1.0
v14.*
v14.0.0
v14.0.1
v14.1.0
v14.1.1
v14.2.0
v14.2.1
v14.2.10
v14.2.11
v14.2.12
v14.2.13
v14.2.14
v14.2.15
v14.2.16
v14.2.17
v14.2.18
v14.2.19
v14.2.2
v14.2.20
v14.2.3
v14.2.4
v14.2.5
v14.2.6
v14.2.7
v14.2.8
v14.2.9
v15.*
v15.0.0
v15.1.0
v15.1.1
v15.2.0
v15.2.1
v15.2.10
v15.2.11
v15.2.2
v15.2.3
v15.2.4
v15.2.5
v15.2.6
v15.2.7
v15.2.8
v15.2.9
v16.*
v16.0.0
v16.1.0
v16.2.0
v16.2.1
v16.2.2
v16.2.3
v9.*
v9.0.0
v9.0.1
v9.0.2
v9.0.3
v9.1.0
v9.2.0