QwikSec

Security Database

CVE

CWE

Training

CVE-2021-3509

Published: May 26, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability.

Vendor	Product	Versions
n/a	ceph-dashboard	affected `as shipped in Red Hat Ceph Storage 4`

Weaknesses (CWE)

References

https://bugzilla.redhat.com/show_bug.cgi?id=1950116

x_refsource_MISC

https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409

x_refsource_MISC

https://github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10ca

x_refsource_MISC

https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b

x_refsource_MISC

https://github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.