{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-48916", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-10-09T22:06:46.172Z", "datePublished": "2025-07-30T19:45:00.454Z", "dateUpdated": "2025-07-30T19:54:42.022Z"}, "containers": {"cna": {"title": "Ceph is vulnerable to authentication bypass through RadosGW", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq"}], "affected": [{"vendor": "ceph", "product": "ceph", "versions": [{"version": "<= 19.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-30T19:45:00.454Z"}, "descriptions": [{"lang": "en", "value": "Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has \"none\" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published."}], "source": {"advisory": "GHSA-5g9m-mmp6-93mq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-30T19:54:31.667804Z", "id": "CVE-2024-48916", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-30T19:54:42.022Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-48916", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-10-09T22:06:46.172Z", "datePublished": "2025-07-30T19:45:00.454Z", "dateUpdated": "2025-07-30T19:54:42.022Z"}, "containers": {"cna": {"title": "Ceph is vulnerable to authentication bypass through RadosGW", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq"}], "affected": [{"vendor": "ceph", "product": "ceph", "versions": [{"version": "<= 19.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-30T19:45:00.454Z"}, "descriptions": [{"lang": "en", "value": "Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has \"none\" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published."}], "source": {"advisory": "GHSA-5g9m-mmp6-93mq", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-48916", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-30T19:54:31.667804Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-30T19:54:34.502Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has \"none\" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published."}, {"lang": "es", "value": "Ceph es una plataforma distribuida de almacenamiento de objetos, bloques y archivos. En las versiones 19.2.3 y anteriores, es posible enviar un JWT con \"none\" como algoritmo JWT. Al hacerlo, no se verifica la firma JWT. Es probable que la vulnerabilidad se encuentre en el proveedor OIDC de RadosGW. Al momento de la publicaci\u00f3n, a\u00fan no se ha publicado una versi\u00f3n parcheada conocida."}], "id": "CVE-2024-48916", "lastModified": "2025-07-31T18:42:37.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-07-30T20:15:33.423", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:4238", "cpe": "cpe:/a:redhat:ceph_storage:6.1::el8", "package": "ceph-2:17.2.6-277.el9cp", "product_name": "Red Hat Ceph Storage 6.1", "release_date": "2025-04-28T00:00:00Z"}, {"advisory": "RHSA-2025:4238", "cpe": "cpe:/a:redhat:ceph_storage:6.1::el8", "package": "oath-toolkit-0:2.6.12-1.el8cp", "product_name": "Red Hat Ceph Storage 6.1", "release_date": "2025-04-28T00:00:00Z"}, {"advisory": "RHSA-2025:4664", "cpe": "cpe:/a:redhat:ceph_storage:7.1::el8", "package": "ceph-2:18.2.1-329.el8cp", "product_name": "Red Hat Ceph Storage 7.1", "release_date": "2025-05-07T00:00:00Z"}, {"advisory": "RHSA-2025:4664", "cpe": "cpe:/a:redhat:ceph_storage:7.1::el8", "package": "oath-toolkit-0:2.6.12-1.el8cp", "product_name": "Red Hat Ceph Storage 7.1", "release_date": "2025-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:10956", "cpe": "cpe:/a:redhat:ceph_storage:8.0::el9", "package": "ceph-2:19.2.0-55.el9cp", "product_name": "Red Hat Ceph Storage 8.0", "release_date": "2024-12-11T00:00:00Z"}, {"advisory": "RHSA-2024:10957", "cpe": "cpe:/a:redhat:ceph_storage:8.0::el9", "package": "rhceph/grafana-rhel9:10.4.8-6", "product_name": "Red Hat Ceph Storage 8.0", "release_date": "2024-12-11T00:00:00Z"}, {"advisory": "RHSA-2024:10957", "cpe": "cpe:/a:redhat:ceph_storage:8.0::el9", "package": "rhceph/keepalived-rhel9:2.2.8-36", "product_name": "Red Hat Ceph Storage 8.0", "release_date": "2024-12-11T00:00:00Z"}, {"advisory": "RHSA-2024:10957", "cpe": "cpe:/a:redhat:ceph_storage:8.0::el9", "package": "rhceph/oauth2-proxy-rhel9:v7.6.0-6", "product_name": "Red Hat Ceph Storage 8.0", "release_date": "2024-12-11T00:00:00Z"}, {"advisory": "RHSA-2024:10957", "cpe": "cpe:/a:redhat:ceph_storage:8.0::el9", "package": "rhceph/rhceph-8-rhel9:8-212", "product_name": "Red Hat Ceph Storage 8.0", "release_date": "2024-12-11T00:00:00Z"}, {"advisory": "RHSA-2024:10957", "cpe": "cpe:/a:redhat:ceph_storage:8.0::el9", "package": "rhceph/rhceph-haproxy-rhel9:2.4.22-38", "product_name": "Red Hat Ceph Storage 8.0", "release_date": "2024-12-11T00:00:00Z"}, {"advisory": "RHSA-2024:10957", "cpe": "cpe:/a:redhat:ceph_storage:8.0::el9", "package": "rhceph/rhceph-promtail-rhel9:v3.0.0-9", "product_name": "Red Hat Ceph Storage 8.0", "release_date": "2024-12-11T00:00:00Z"}, {"advisory": "RHSA-2024:10957", "cpe": "cpe:/a:redhat:ceph_storage:8.0::el9", "package": "rhceph/snmp-notifier-rhel9:1.2.1-86", "product_name": "Red Hat Ceph Storage 8.0", "release_date": "2024-12-11T00:00:00Z"}], "bugzilla": {"description": "ceph: rhceph-container: Authentication bypass in CEPH RadosGW", "id": "2329846", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2329846"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-345", "details": ["A vulnerability in the Ceph Rados Gateway (RadosGW) OIDC provider allows attackers to bypass JWT signature verification by supplying a token with \"none\" as the algorithm (alg). This occurs because the implementation fails to enforce strict signature validation, enabling attackers to forge valid tokens without a signature."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-48916", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "package_name": "rhceph/rhceph-4-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "rhceph/rhceph-5-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Affected", "package_name": "rhceph/rhceph-6-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "rhceph-container", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/cephcsi-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}], "public_date": "2024-12-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-48916\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-48916\nhttps://github.com/ceph/ceph/pull/60624/commits/919da3696668a07c6810dfa39301950c81c2eba4\nhttps://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq\nhttps://tracker.ceph.com/issues/68836"], "statement": "This vulnerability is rated Important due to its ability to bypass JWT signature verification in Ceph Rados Gateway, allowing attackers to forge tokens and gain unauthorized access.\nOpenShift Data Foundation (ODF) is affected but not vulnerable to this issue. To exploit this issue, an attacker needs to use OIDC and manually set the algorithm to \"none\", then RadosGW will not validate the signature on a JWT. ODF is protected because it uses the Vault API to interface with OIDC (and other providers) and it does not support \"none\" as an algorithm type.", "threat_severity": "Important"}