CVE-2024-48916

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-48916
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-48916.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-48916
Aliases
  • GHSA-5g9m-mmp6-93mq
Downstream
Related
Published
2025-07-30T20:15:33Z
Modified
2025-07-31T20:45:39.297579Z
Summary
[none]
Details

Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published.

References

Affected packages

Debian:12 / ceph

Package

Name
ceph
Purl
pkg:deb/debian/ceph?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
16.2.15+ds-0+deb12u1

Affected versions

16.*

16.2.11+ds-2
16.2.11+ds-3
16.2.11+ds-4
16.2.11+ds-5
16.2.11+ds-5.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / ceph

Package

Name
ceph
Purl
pkg:deb/debian/ceph?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.2.4+ds-11

Ecosystem specific 

{
    "urgency": "not yet assigned"
}