DEBIAN-CVE-2024-48916
Advisory lineage Upstream: 1 Downstream: 1
Upstream
Downstream
Published: 30 Jul 2025, 20:15
Last modified:28 Apr 2026, 20:28
Vulnerability Summary
Overall Risk (default)
medium
32/100 CVSS Score
8.1 HIGH
3.1 (osv_debian)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
30 Jul 2025, 20:15
Published
Vulnerability first disclosed
28 Apr 2026, 20:28
Last Modified
Vulnerability information updated
Description
Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published.
CVSS Metrics
- v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected Systems
- debian•ceph
< 16.2.15+ds-0+deb12u1 | < 18.2.4+ds-11 | < 18.2.4+ds-11