Alpine: ceph16: security update to 16.2.4-r0

medium Tenable Cloud Security Plugin ID 403796

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the
JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body
of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to
the system is for confidentiality, integrity, and availability. (CVE-2021-3509)

- A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The
vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline
character in the ExposeHeader tag in the CORS configuration file generates a header injection in the
response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account
for the use of \r as a header separator, thus a new flaw has been created. (CVE-2021-3524)

- A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21. When processing a GET Request
for a swift URL that ends with two slashes it can cause the rgw to crash, resulting in a denial of
service. The greatest threat to the system is of availability. (CVE-2021-3531)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-3509

https://security.alpinelinux.org/vuln/CVE-2021-3524

https://security.alpinelinux.org/vuln/CVE-2021-3531

Plugin Details

Severity: Medium

ID: 403796

Version: Revision 1.24

Type: Local

Published: 10/31/2023

Updated: 3/12/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2021-3524

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/17/2021

Reference Information

CVE: CVE-2021-3509, CVE-2021-3524, CVE-2021-3531