Vulnerability Details : CVE-2019-3821
A flaw was found in the way civetweb frontend was handling requests for ceph RGW server with SSL enabled. An unauthenticated attacker could create multiple connections to ceph RADOS gateway to exhaust file descriptors for ceph-radosgw service resulting in a remote denial of service.
Vulnerability category: Denial of service
Products affected by CVE-2019-3821
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:a:ceph:civetweb:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-3821
1.01%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-3821
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
Red Hat, Inc. | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-3821
-
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2019-3821
-
https://usn.ubuntu.com/4035-1/
USN-4035-1: Ceph vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3821
1656852 – (CVE-2019-3821) CVE-2019-3821 ceph: radosgw: Resource exhaustion via TCP connection to port serving the SSL endpointIssue Tracking;Third Party Advisory
-
https://github.com/ceph/civetweb/pull/33
Fix file descriptor leak. by mdw-at-linuxbox · Pull Request #33 · ceph/civetweb · GitHubIssue Tracking;Third Party Advisory
Jump to