CVE-2021-3509 - OpenCVE

A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Ceph Storage

Configuration 1 [-]

cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1950116	Issue Tracking Patch Vendor Advisory
https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409	Exploit Third Party Advisory
https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b	Patch Third Party Advisory
https://github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10ca	Patch Third Party Advisory
https://github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2021-05-26T23:56:39

Updated: 2021-05-26T23:56:39

Reserved: 2021-04-20T00:00:00

Link: CVE-2021-3509

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-05-27T00:15:08.577

Modified: 2022-04-25T17:08:08.887

Link: CVE-2021-3509

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "ceph-dashboard", "vendor": "n/a", "versions": [{"status": "affected", "version": "as shipped in Red Hat Ceph Storage 4"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-26T23:56:39", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950116"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10ca"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2021-3509", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ceph-dashboard", "version": {"version_data": [{"version_value": "as shipped in Red Hat Ceph Storage 4"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1950116", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950116"}, {"name": "https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409", "refsource": "MISC", "url": "https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409"}, {"name": "https://github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10ca", "refsource": "MISC", "url": "https://github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10ca"}, {"name": "https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b", "refsource": "MISC", "url": "https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b"}, {"name": "https://github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27", "refsource": "MISC", "url": "https://github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-3509", "datePublished": "2021-05-26T23:56:39", "dateReserved": "2021-04-20T00:00:00", "dateUpdated": "2021-05-26T23:56:39", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ceph_storage:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "D6E54096-5D45-4CB2-AC9A-DDB55BF2B94C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en Red Hat Ceph Storage 4, en el componente Dashboard. En respuesta a CVE-2020-27839, el token JWT fue movido de localStorage a una cookie httpOnly. Sin embargo, las cookies de token son usados en el cuerpo de la respuesta HTTP para la documentaci\u00f3n, que de nuevo lo pone a disposici\u00f3n de un ataque de tipo XSS. La mayor amenaza para el sistema es la confidencialidad, integridad y disponibilidad"}], "id": "CVE-2021-3509", "lastModified": "2022-04-25T17:08:08.887", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-27T00:15:08.577", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950116"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.py#L394-L409"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27b"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10ca"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "secalert@redhat.com", "type": "Primary"}]}