Bugzilla – Bug 997025
VUL-0: CVE-2016-7031: ceph-radosgw: anonymous user authorization bypass
Last modified: 2020-06-15 13:27:15 UTC
Description of problem:
An anonymous S3 user may be able to (incorrectly) list the contents of a bucket which has an authenticated_users=read ACL.
Version-Release number of selected component (if applicable):
This issue corresponds to upstream tracker issue
Fixed on master in
bugbot adjusting priority
Staged hammer backport:
Upstream hammer backport just merged; will be in 0.94.10 release. After that release happens, we'll get it into SES2.1 via a maintenance update.
This bug is only present in SES2.1, which went out of maintenance on March 1, 2017.