Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 25 Jun 2020 21:07:17 +0200
From: Przemyslaw Roguski <>
Subject: CVE-2020-10753 ceph: radosgw: HTTP header injection via CORS
 ExposeHeader tag

Hello Team,

A flaw was found in the Ceph Storage RadosGW (Ceph Object Gateway). The
vulnerability is related to the injection of HTTP headers via a CORS
ExposeHeader tag.
The newline character in the ExposeHeader tag in the CORS configuration
file generates a header injection in the response when the CORS request is
This issue affects the RadosGW S3 API, it does not affect the Swift API.

This flaw affects Nautilus and Octopus based versions.
Red Hat has assigned CVE-2020-10753 and rated it as Moderate impact flaw.

The fix will be included in the Octopus version in the coming days.

Credit: William Bowling

Best Regards,
Przemyslaw Roguski  / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.