CVE-2021-3524

A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.

From the Ubuntu Security Team

Sergey Bobrov discovered that Ceph's RadosGW (Ceph Object Gateway) allowed the injection of HTTP headers in responses to CORS requests. An attacker could use this to violate system integrity.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ceph	25.04 plucky	Fixed 16.2.4-0ubuntu1
	24.10 oracular	Fixed 16.2.4-0ubuntu1
	24.04 LTS noble	Fixed 16.2.4-0ubuntu1
	23.10 mantic	Fixed 16.2.4-0ubuntu1
	23.04 lunar	Fixed 16.2.4-0ubuntu1
	22.10 kinetic	Fixed 16.2.4-0ubuntu1
	22.04 LTS jammy	Fixed 16.2.4-0ubuntu1
	21.10 impish	Fixed 16.2.4-0ubuntu1
	21.04 hirsute	Fixed 16.2.6-0ubuntu0.21.04.2
	20.10 groovy	Fixed 15.2.12-0ubuntu0.20.10.1
	20.04 LTS focal	Fixed 15.2.12-0ubuntu0.20.04.1
	18.04 LTS bionic	Fixed 12.2.13-0ubuntu0.18.04.10
	16.04 LTS xenial	Fixed 10.2.11-0ubuntu0.16.04.3+esm2
	14.04 LTS trusty	Not affected

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Notes

mdeslaur

this is fixed in 16.2.4 in hirsute-updates but has not been pushed to the security pocket

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
ceph	Upstream: 763aebb

Severity score breakdown

Parameter	Value
Base score	6.5 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	None
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References

Related Ubuntu Security Notices (USN)

USN-4998-1
Ceph vulnerabilities
25 June 2021

USN-5128-1
Ceph vulnerabilities
1 November 2021

USN-7706-1
Ceph vulnerabilities
20 August 2025

Other references

https://www.cve.org/CVERecord?id=CVE-2021-3524

Cvss 3 Severity Score