CVE-2020-1760 — ceph - security update

Description

A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.

How to fix CVE-2020-1760

To remediate CVE-2020-1760, upgrade the affected package to a fixed version below.

Bitnami/ceph—upgrade to 14.2.21 or later
—upgrade to 14.2.9-1 or later
—upgrade to 0.80.7-2+deb8u4 or later

Is CVE-2020-1760 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 14.2.21
from 0, < 14.2.9-1
from 0, < 0.80.7-2+deb8u4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (9)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-1760
WEBbugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1760
WEBlists.debian.org/debian-lts-announce/2021/08/msg00013.html
WEBlists.debian.org/debian-lts-announce/2023/10/msg00034.html