CVE-2021-3524
- Source
- https://cve.org/CVERecord?id=CVE-2021-3524
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3524.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-3524
- Downstream
- Related
- Published
- 2021-05-17T17:15:08.773Z
- Modified
- 2026-04-02T06:09:20.485216Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FX5ZHI5L7FOHXOSEV3TYBAL66DMLJ7V5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPCJN2YDZCBMF4FOJXSTAADKFGEQEO7O/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZRUNDH2TJRZRWL3DCH2PQ6KROWTPQ7AJ/
- https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
- https://lists.debian.org/debian-lts-announce/2021/08/msg00013.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1951674
Affected packages
Git / github.com/ceph/ceph
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ceph/ceph
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "14.2.21" }, { "introduced": "0" }, { "last_affected": "9.0" } ] }
Affected versions
Other
BRI-nautilus
SES1-GM
SES1-maint01
agogpemikxte-build-me
rrygrvmctuzz-build-me
ses2-gm
ses5-deepsea-pr-test
ses5-gm
ses5-milestone10
ses5-milestone11
ses5-milestone12
ses5-milestone5
ses5-milestone6
ses5-milestone7
ses5-milestone8
ses5-milestone9
suse_hammer
suse_latest
mark-v0.*
mark-v0.70-wip
v0.*
v0.1
v0.10
v0.11
v0.12
v0.13
v0.14
v0.15
v0.16
v0.16.1
v0.17
v0.18
v0.19
v0.19.1
v0.2
v0.20
v0.20.1
v0.20.2
v0.21
v0.21.1
v0.21.2
v0.21.3
v0.22
v0.22.1
v0.22.2
v0.23
v0.23.1
v0.23.2
v0.24
v0.24.1
v0.24.2
v0.24.3
v0.25
v0.25.1
v0.25.2
v0.26
v0.27
v0.27.1
v0.28
v0.28.1
v0.28.2
v0.29
v0.29.1
v0.3
v0.30
v0.31
v0.32
v0.33
v0.34
v0.35
v0.36
v0.37
v0.38
v0.39
v0.4
v0.40
v0.41
v0.42
v0.42.1
v0.42.2
v0.43
v0.44
v0.44.1
v0.44.2
v0.45
v0.46
v0.47
v0.47.1
v0.47.2
v0.47.3
v0.48.1argonaut
v0.48.2argonaut
v0.48.3argonaut
v0.48argonaut
v0.49
v0.5
v0.50
v0.51
v0.52
v0.53
v0.54
v0.55
v0.55.1
v0.56
v0.56.1
v0.56.2
v0.56.3
v0.56.4
v0.56.5
v0.56.6
v0.56.7
v0.57
v0.58
v0.59
v0.6
v0.60
v0.61
v0.61.1
v0.61.2
v0.61.3
v0.61.4
v0.61.5
v0.61.6
v0.61.7
v0.61.8
v0.61.9
v0.62
v0.63
v0.64
v0.65
v0.66
v0.67
v0.67-rc1
v0.67-rc2
v0.67-rc3
v0.67.1
v0.67.10
v0.67.11
v0.67.2
v0.67.3
v0.67.4
v0.67.5
v0.67.6
v0.67.7
v0.67.8
v0.67.9
v0.68
v0.69
v0.7
v0.7.1
v0.7.2
v0.7.3
v0.70
v0.71
v0.72
v0.72-rc1
v0.72.1
v0.72.2
v0.73
v0.74
v0.75
v0.76
v0.77
v0.78
v0.79
v0.8
v0.80
v0.80-rc1
v0.80.1
v0.80.10
v0.80.11
v0.80.2
v0.80.3
v0.80.4
v0.80.5
v0.80.6
v0.80.7
v0.80.8
v0.80.8.1
v0.80.8.2
v0.80.8.4
v0.80.8.5
v0.80.9
v0.81
v0.82
v0.83
v0.84
v0.85
v0.86
v0.87
v0.87.1
v0.87.2
v0.88
v0.89
v0.9
v0.90
v0.91
v0.92
v0.93
v0.94
v0.94.1
v0.94.1.1
v0.94.1.2
v0.94.1.3
v0.94.1.4
v0.94.1.5
v0.94.1.6
v0.94.1.7
v0.94.10
v0.94.2
v0.94.3
v0.94.3.1
v0.94.3.2
v0.94.3.3
v0.94.4
v0.94.5
v0.94.6
v0.94.7
v0.94.8
v0.94.9
v10.*
v10.2.10
v10.2.11
v10.2.6
v10.2.7
v10.2.8
v10.2.9
v11.*
v11.1.1
v11.2.0
v11.2.1
v12.*
v12.0.0
v12.0.1
v12.0.2
v12.0.3
v12.1.0
v12.1.1
v12.1.2
v12.1.3
v12.1.4
v12.2.0
v12.2.1
v12.2.10
v12.2.11
v12.2.12
v12.2.13
v12.2.14
v12.2.2
v12.2.3
v12.2.4
v12.2.5
v12.2.6
v12.2.7
v12.2.8
v12.2.9
v13.*
v13.0.0
v13.0.1
v13.0.2
v13.1.0
v13.1.1
v13.2.0
v13.2.1
v13.2.10
v13.2.2
v13.2.3
v13.2.4
v13.2.5
v13.2.6
v13.2.7
v13.2.8
v13.2.9
v14.*
v14.0.0
v14.0.1
v14.1.0
v14.1.1
v14.2.0
v14.2.1
v14.2.10
v14.2.11
v14.2.12
v14.2.13
v14.2.14
v14.2.15
v14.2.16
v14.2.17
v14.2.18
v14.2.19
v14.2.2
v14.2.20
v14.2.3
v14.2.4
v14.2.5
v14.2.6
v14.2.7
v14.2.8
v14.2.9
v15.*
v15.0.0
v15.1.0
v15.1.1
v15.2.0
v15.2.1
v15.2.10
v15.2.11
v15.2.12
v15.2.13
v15.2.14
v15.2.15
v15.2.16
v15.2.17
v15.2.2
v15.2.3
v15.2.4
v15.2.5
v15.2.6
v15.2.7
v15.2.8
v15.2.9
v16.*
v16.0.0
v16.1.0
v16.2.0
v16.2.1
v16.2.10
v16.2.11
v16.2.12
v16.2.13
v16.2.14
v16.2.15
v16.2.2
v16.2.3
v16.2.4
v16.2.5
v16.2.6
v16.2.7
v16.2.8
v16.2.9
v17.*
v17.0.0
v17.1.0
v17.2.0
v17.2.1
v17.2.2
v17.2.3
v17.2.4
v17.2.5
v17.2.6
v17.2.7
v17.2.8
v17.2.9
v18.*
v18.0.0
v18.1.0
v18.1.1
v18.1.2
v18.1.3
v18.2.0
v18.2.1
v18.2.2
v18.2.4
v18.2.5
v18.2.6
v18.2.7
v18.2.8
v19.*
v19.0.0
v19.1.0
v19.1.1
v19.2.0
v19.2.1
v19.2.2
v19.2.3
v19.3.0
v20.*
v20.0.0
v20.1.0
v20.1.1
v20.2.0
v20.3.0
v21.*
v21.0.0
v9.*
v9.0.0
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "32"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "33"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "34"
}
]
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3524.json"