BIT-ceph-2024-48916

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/ceph/BIT-ceph-2024-48916.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-ceph-2024-48916

Aliases

CVE-2024-48916
GHSA-5g9m-mmp6-93mq

Published

2026-03-20T09:05:50.770Z

Modified

2026-03-24T15:30:06.797315Z

Summary

Ceph is vulnerable to authentication bypass through RadosGW

Details

Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published.

Database specific

{
    "cpes": [
        "cpe:2.3:a:linuxfoundation:ceph:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / ceph

Package

Name: ceph
Purl: pkg:bitnami/ceph

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.3.0

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/ceph/BIT-ceph-2024-48916.json"