CVE-2016-7031

Published: Oct 3, 2016Modified: May 6, 2026

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The RGW code in Ceph before 10.0.1, when authenticated-read ACL is applied to a bucket, allows remote attackers to list the bucket contents via a URL.

Affected (2)

Products: Ceph Project: Ceph · Redhat: Ceph Storage

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Ceph Project Ceph	Up to 10.0.0
Redhat Ceph Storage	Up to 1.3.2

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-254

References (12)

http://docs.ceph.com/docs/master/release-notes/#v10-0-1

Source: secalert@redhat.com

Release NotesVendor Advisory

http://rhn.redhat.com/errata/RHSA-2016-1972.html

Source: secalert@redhat.com

Release NotesThird Party Advisory

http://rhn.redhat.com/errata/RHSA-2016-1973.html

Source: secalert@redhat.com

http://tracker.ceph.com/issues/13207

Source: secalert@redhat.com

ExploitIssue TrackingVendor Advisory

http://www.securityfocus.com/bid/93240

Source: secalert@redhat.com

https://github.com/ceph/ceph/pull/6057

Source: secalert@redhat.com

PatchVendor Advisory

http://docs.ceph.com/docs/master/release-notes/#v10-0-1