CVE-2020-27839

A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browsers localStorage which is potentially vulnerable to attackers via XSS attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
VendorProductVersion
redhatceph
𝑥
< 14.2.17
redhatceph
15.2.0 ≤
𝑥
< 15.2.9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ceph
bullseye
14.2.21-1
fixed
buster
not-affected
stretch
not-affected
bookworm
16.2.11+ds-2
fixed
sid
18.2.4+ds-7
fixed
trixie
18.2.4+ds-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ceph
jammy
Fixed 16.1.0-0ubuntu2
released
impish
Fixed 16.1.0-0ubuntu2
released
hirsute
Fixed 16.1.0-0ubuntu2
released
groovy
Fixed 15.2.12-0ubuntu0.20.10.1
released
focal
Fixed 15.2.12-0ubuntu0.20.04.1
released
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1901330
https://bugzilla.redhat.com/show_bug.cgi?id=1901330