CVE-2024-47866
BaseFortify
Publication date: 2025-11-12
Last updated on: 2025-12-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | ceph | to 19.2.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Ceph versions up to and including 19.2.3 occurs when the argument `x-amz-copy-source` is used to put an object with an empty string as its content. This causes the RGW daemon to crash, leading to a denial of service (DoS) attack.
How can this vulnerability impact me? :
The vulnerability can cause the RGW daemon in Ceph to crash, resulting in a denial of service (DoS) condition. This means that the storage service could become unavailable, potentially disrupting access to stored data and impacting system availability.
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions are available, immediate mitigation steps include monitoring and blocking requests that use the 'x-amz-copy-source' argument with empty string content to prevent triggering the RGW daemon crash. Additionally, consider restricting access to the RGW service to trusted clients only and implementing network-level protections such as firewalls or rate limiting to reduce exposure to potential DoS attacks.