Vulnerability Details : CVE-2021-3531
A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21. When processing a GET Request for a swift URL that ends with two slashes it can cause the rgw to crash, resulting in a denial of service. The greatest threat to the system is of availability.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2021-3531
- cpe:2.3:a:redhat:ceph:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-3531
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-3531
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2021-3531
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: secalert@redhat.com (Secondary)
-
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-3531
-
https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
[SECURITY] [DLA 3629-1] ceph security update
-
https://bugzilla.redhat.com/show_bug.cgi?id=1955326
1955326 – (CVE-2021-3531) CVE-2021-3531 ceph: RGW unauthenticated denial of serviceIssue Tracking;Patch;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX5ZHI5L7FOHXOSEV3TYBAL66DMLJ7V5/
[SECURITY] Fedora 32 Update: ceph-14.2.21-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZRUNDH2TJRZRWL3DCH2PQ6KROWTPQ7AJ/
[SECURITY] Fedora 33 Update: ceph-15.2.12-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPCJN2YDZCBMF4FOJXSTAADKFGEQEO7O/
[SECURITY] Fedora 34 Update: ceph-16.2.4-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/05/17/7
oss-security - Re: CVE-2021-3531: Ceph: RGW unauthenticated denial of serviceMailing List;Patch;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/05/14/5
oss-security - CVE-2021-3531: Ceph: RGW unauthenticated denial of serviceMailing List;Patch;Third Party Advisory
Jump to