CVE-2020-10736

NameCVE-2020-10736
DescriptionAn authorization bypass vulnerability was found in Ceph versions 15.2.0 before 15.2.2, where the ceph-mon and ceph-mgr daemons do not properly restrict access, resulting in gaining access to unauthorized resources. This flaw allows an authenticated client to modify the configuration and possibly conduct further attacks.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ceph (PTS)buster12.2.11+dfsg1-2.1fixed
buster (security)12.2.11+dfsg1-2.1+deb10u1fixed
bullseye14.2.21-1fixed
bookworm16.2.11+ds-2fixed
trixie16.2.11+ds-5fixed
sid18.2.1+ds-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cephsource(unstable)(not affected)

Notes

- ceph <not-affected> (Vulnerable code introduced later)
https://ceph.io/releases/v15-2-2-octopus-released/
https://github.com/ceph/ceph/commit/c7e7009a690621aacd4ac2c70c6469f25d692868 (master)
https://github.com/ceph/ceph/commit/f2cf2ce1bd9a86462510a7a12afa4e528b615df2 (v15.2.2)

Search for package or bug name: Reporting problems