CVE-2020-10736

EUVD-2020-3160
An authorization bypass vulnerability was found in Ceph versions 15.2.0 before 15.2.2, where the ceph-mon and ceph-mgr daemons do not properly restrict access, resulting in gaining access to unauthorized resources. This flaw allows an authenticated client to modify the configuration and possibly conduct further attacks.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8 HIGH
ADJACENT_NETWORK
LOW
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
redhatCNA
8 HIGH
ADJACENT_NETWORK
LOW
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Affected Products (NVD)
VendorProductVersion
linuxfoundationceph
15.2.0 ≤
𝑥
< 15.2.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ceph
bookworm
16.2.11+ds-2
fixed
bullseye
14.2.21-1
fixed
sid
18.2.4+ds-7
fixed
trixie
18.2.4+ds-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ceph
bionic
not-affected
eoan
ignored
focal
Fixed 15.2.7-0ubuntu0.20.04.2
released
groovy
Fixed 15.2.3-0ubuntu1
released
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10736
https://ceph.io/releases/v15-2-2-octopus-released/
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10736
https://ceph.io/releases/v15-2-2-octopus-released/