CVE-2024-48916

NameCVE-2024-48916
DescriptionCeph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5825-1
Debian Bugs1088993

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ceph (PTS)bullseye14.2.21-1fixed
bookworm, bookworm (security)16.2.15+ds-0+deb12u1fixed
forky, sid, trixie18.2.7+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cephsourcebullseye(not affected)
cephsourcebookworm16.2.15+ds-0+deb12u1DSA-5825-1
cephsource(unstable)18.2.4+ds-111088993

Notes

[bullseye] - ceph <not-affected> (Vulnerable code introduce later)
https://bugzilla.redhat.com/show_bug.cgi?id=2329846
https://tracker.ceph.com/issues/68836
https://github.com/ceph/ceph/pull/60624
Introduced with: https://github.com/ceph/ceph/commit/7566664f89be062e0c9f3519dc60b94c8af5e2a4 (v16.1.0)

Search for package or bug name: Reporting problems