Unrated severityNVD Advisory· Published May 26, 2021· Updated Aug 3, 2024
CVE-2021-3509
CVE-2021-3509
Description
A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability.
Affected products
18- Red Hat/Ceph Storagedescription
- osv-coords17 versionspkg:rpm/opensuse/ceph&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/ceph&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/ceph-test&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/ceph-test&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/ceph&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/ceph&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/ceph&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/ceph&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/ceph&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/ceph&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/ceph&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/ceph&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/ceph&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/ceph&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/ceph&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/ceph&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/ceph&distro=SUSE%20Manager%20Server%204.0
< 15.2.12.83+g528da226523-lp152.2.18.1+ 16 more
- (no CPE)range: < 15.2.12.83+g528da226523-lp152.2.18.1
- (no CPE)range: < 15.2.12.83+g528da226523-3.25.1
- (no CPE)range: < 15.2.12.83+g528da226523-lp152.2.18.1
- (no CPE)range: < 15.2.12.83+g528da226523-3.25.1
- (no CPE)range: < 14.2.21.403+g69ab6ea274d-3.63.1
- (no CPE)range: < 15.2.12.83+g528da226523-3.25.1
- (no CPE)range: < 14.2.21.403+g69ab6ea274d-3.63.1
- (no CPE)range: < 14.2.21.403+g69ab6ea274d-3.63.1
- (no CPE)range: < 15.2.12.83+g528da226523-3.25.1
- (no CPE)range: < 15.2.12.83+g528da226523-3.25.1
- (no CPE)range: < 15.2.12.83+g528da226523-3.25.1
- (no CPE)range: < 14.2.21.403+g69ab6ea274d-3.63.1
- (no CPE)range: < 14.2.21.403+g69ab6ea274d-3.63.1
- (no CPE)range: < 14.2.21.403+g69ab6ea274d-3.63.1
- (no CPE)range: < 14.2.21.403+g69ab6ea274d-3.63.1
- (no CPE)range: < 14.2.21.403+g69ab6ea274d-3.63.1
- (no CPE)range: < 14.2.21.403+g69ab6ea274d-3.63.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- github.com/ceph/ceph/blob/f1557e8f62d31883d3d34ae241a1a26af11d923f/src/pybind/mgr/dashboard/controllers/docs.pymitrex_refsource_MISC
- github.com/ceph/ceph/commit/7a1ca8d372da3b6a4fc3d221a0e5f72d1d61c27bmitrex_refsource_MISC
- github.com/ceph/ceph/commit/adda853e64bdba1288d46bc7d462d23d8f2f10camitrex_refsource_MISC
- github.com/ceph/ceph/commit/af3fffab3b0f13057134d96e5d481e400d8bfd27mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.