CVE-2017-16818
MEDIUMCeph 12.1.0-12.2.1 - Authenticated Denial of Service via Invalid Profile Post to Admin API
Title source: llmDescription
RADOS Gateway in Ceph 12.1.0 through 12.2.1 allows remote authenticated users to cause a denial of service (assertion failure and application exit) by leveraging "full" (not necessarily admin) privileges to post an invalid profile to the admin API, related to rgw/rgw_iam_policy.cc, rgw/rgw_basic_types.h, and rgw/rgw_iam_types.h.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1515872
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6VJA32U7HKGDRJQDJVM7JBYWD4T7BJL/
Scores
CVSS v3
6.5
EPSS
0.0231
EPSS Percentile
81.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-617
Status
published
Products (2)
fedoraproject/fedora
27
redhat/ceph
12.1.0 - 12.2.1
Published
Dec 20, 2017
Tracked Since
Feb 18, 2026