CVE-2020-27839

EUVD-2020-20337
A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browser’s localStorage which is potentially vulnerable to attackers via XSS attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
Affected Products (NVD)
VendorProductVersion
redhatceph
𝑥
< 14.2.17
redhatceph
15.2.0 ≤
𝑥
< 15.2.9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ceph
bookworm
16.2.11+ds-2
fixed
bullseye
14.2.21-1
fixed
buster
not-affected
sid
18.2.4+ds-7
fixed
stretch
not-affected
trixie
18.2.4+ds-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ceph
bionic
not-affected
focal
Fixed 15.2.12-0ubuntu0.20.04.1
released
groovy
Fixed 15.2.12-0ubuntu0.20.10.1
released
hirsute
Fixed 16.1.0-0ubuntu2
released
impish
Fixed 16.1.0-0ubuntu2
released
jammy
Fixed 16.1.0-0ubuntu2
released
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1901330
https://bugzilla.redhat.com/show_bug.cgi?id=1901330