CVE-2024-48916
HIGHCeph <= 19.2.3 - Insufficient Verification of Data Authenticity in RadosGW OIDC Provider
Title source: llmDescription
Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq
Scores
CVSS v3
8.1
EPSS
0.0018
EPSS Percentile
7.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-345
Status
published
Products (1)
ceph/ceph
<= 19.2.3
Published
Jul 30, 2025
Tracked Since
Feb 18, 2026