CVE-2020-1760: XSS
First published: Thu Apr 23 2020(Updated: )
A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linuxfoundation Ceph | <14.2.21 | |
| Redhat Ceph Storage | =3.0 | |
| Redhat Ceph Storage | =4.0 | |
| Redhat Openshift Container Platform | =4.2 | |
| Fedoraproject Fedora | =31 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Debian Debian Linux | =9.0 | |
| debian/ceph | 14.2.21-1 16.2.11+ds-2 18.2.4+ds-7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1760
- https://www.openwall.com/lists/oss-security/2020/04/07/1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3A2UFR5IUIEXJUCF64GQ5OVLCZGODXE/
- https://usn.ubuntu.com/4528-1/
- https://security.gentoo.org/glsa/202105-39
- https://lists.debian.org/debian-lts-announce/2021/08/msg00013.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
- https://launchpad.net/bugs/cve/CVE-2020-1760
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P3A2UFR5IUIEXJUCF64GQ5OVLCZGODXE/
- https://github.com/ceph/ceph-ci/commit/f4a0b2d9260a4523745875e3977a8a1ef9dc5e2e
- https://github.com/ceph/ceph-ci/commit/8aa1f77363ec32bdc57744a143035033291ab5e1
- https://github.com/ceph/ceph-ci/commit/18eb4d918b27d362312c29a3bbd57a421897c0a5
- https://github.com/ceph/ceph-ci/commit/1bf14094fec34770d2cc74317f4238ccb2dfef98
- https://security-tracker.debian.org/tracker/CVE-2020-1760
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1760
- https://nvd.nist.gov/vuln/detail/CVE-2020-1760
- https://ubuntu.com/security/CVE-2020-1760
Frequently Asked Questions
What is CVE-2020-1760?
CVE-2020-1760 is a vulnerability in the Ceph Object Gateway that allows potential XSS attacks due to the lack of proper neutralization of untrusted input.
How does CVE-2020-1760 affect the Ceph Object Gateway?
CVE-2020-1760 allows for potential XSS attacks in the Ceph Object Gateway when it supports requests sent by an anonymous user in Amazon S3.
What is the severity of CVE-2020-1760?
CVE-2020-1760 has a severity rating of medium with a CVSS score of 6.1.
How can I fix CVE-2020-1760?
To fix CVE-2020-1760, update your Ceph Object Gateway to one of the following versions: 14.2.21-1, 16.2.11+ds-2, or 16.2.11+ds-5.
Where can I find more information about CVE-2020-1760?
You can find more information about CVE-2020-1760 in the following references: [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1760), [Debian LTS Announcement](https://lists.debian.org/debian-lts-announce/2021/08/msg00013.html), [Fedora Project Archive](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3A2UFR5IUIEXJUCF64GQ5OVLCZGODXE/).
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/severity
- agent/author
- agent/weakness
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/tags
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- vendor/linuxfoundation
- canonical/linuxfoundation ceph
- vendor/redhat
- canonical/redhat ceph storage
- version/redhat ceph storage/3.0
- version/redhat ceph storage/4.0
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- package-manager/debian