CVE-2024-48916

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-48916

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-48916.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-48916

Downstream

DEBIAN-CVE-2024-48916

DSA-5825-1

OESA-2025-1206

OESA-2025-1207

OESA-2025-1208

OESA-2025-1209

RHSA-2024:10956

RHSA-2025:4238

RHSA-2025:4664

UBUNTU-CVE-2024-48916

USN-7182-1

Related

MGASA-2025-0011

Published

2025-07-30T20:15:33Z

Modified

2025-08-09T20:01:26Z

Summary

[none]

Details

Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published.

References

https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq

Affected packages