Fluid Attacks Database

Description

Ceph is a distributed object, block, and file storage platform. In versions up to and including 19.2.3, using the argument x-amz-copy-source to put an object and specifying an empty string as its content leads to the RGW daemon crashing, resulting in a DoS attack. As of time of publication, no known patched versions exist.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	ceph	=16.2.11+ds-2 \|\| =16.2.11+ds-3 \|\| =16.2.11+ds-4 \|\| =16.2.11+ds-5 \|\| =16.2.11+ds-5.1 \|\| =16.2.15+ds-0+deb12u1 \|\| >=0 <16.2.15+ds-0+deb12u2	16.2.15+ds-0+deb12u2
debian 11	ceph	=14.2.21-1 \|\| =14.2.21-1+deb11u1 \|\| >=0 <14.2.21-1+deb11u2	14.2.21-1+deb11u2
debian 14	ceph	=18.2.7+ds-1 \|\| >=0 <18.2.7+ds-1.1	18.2.7+ds-1.1
debian 13	ceph	=18.2.7+ds-1 \|\| >=0 <18.2.7+ds-1+deb13u1	18.2.7+ds-1+deb13u1

Aliases

1. CVE-2024-478662. NVD-2024-478663. OSV-DEBIAN-2024-478664. OSV-2024-478665. SECURITY-TRACKER-CVE-2024-47866

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.