CVE-2020-10736

An authorization bypass vulnerability was found in Ceph versions 15.2.0 before 15.2.2, where the ceph-mon and ceph-mgr daemons do not properly restrict access, resulting in gaining access to unauthorized resources. This flaw allows an authenticated client to modify the configuration and possibly conduct further attacks.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8 HIGH
ADJACENT_NETWORK
LOW
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
redhatCNA
8 HIGH
ADJACENT_NETWORK
LOW
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
VendorProductVersion
linuxfoundationceph
15.2.0 ≤
𝑥
< 15.2.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ceph
bullseye
14.2.21-1
fixed
bookworm
16.2.11+ds-2
fixed
sid
18.2.4+ds-7
fixed
trixie
18.2.4+ds-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ceph
groovy
Fixed 15.2.3-0ubuntu1
released
focal
Fixed 15.2.7-0ubuntu0.20.04.2
released
eoan
ignored
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10736
https://ceph.io/releases/v15-2-2-octopus-released/
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10736
https://ceph.io/releases/v15-2-2-octopus-released/