| Name | CVE-2024-48916 |
| Description | Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-5825-1 |
| Debian Bugs | 1088993 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| ceph (PTS) | bullseye | 14.2.21-1 | fixed |
| bookworm, bookworm (security) | 16.2.15+ds-0+deb12u1 | fixed | |
| forky, sid, trixie | 18.2.7+ds-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| ceph | source | bullseye | (not affected) | |||
| ceph | source | bookworm | 16.2.15+ds-0+deb12u1 | DSA-5825-1 | ||
| ceph | source | (unstable) | 18.2.4+ds-11 | 1088993 |
[bullseye] - ceph <not-affected> (Vulnerable code introduce later)
https://bugzilla.redhat.com/show_bug.cgi?id=2329846
https://tracker.ceph.com/issues/68836
https://github.com/ceph/ceph/pull/60624
Introduced with: https://github.com/ceph/ceph/commit/7566664f89be062e0c9f3519dc60b94c8af5e2a4 (v16.1.0)