CVE-2020-1700

Description

A flaw was found in the way the Ceph RGW Beast front-end handles unexpected disconnects. An authenticated attacker can abuse this flaw by making multiple disconnect attempts resulting in a permanent leak of a socket connection by radosgw. This flaw could lead to a denial of service condition by pile up of CLOSE_WAIT sockets, eventually leading to the exhaustion of available resources, preventing legitimate users from connecting to the system.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected products

Unknown / ceph14.2.4-125.el8cp – 14.2.4-125.el8cp
Unknown / ceph14.2.4-51.el7cp – 14.2.4-51.el7cp

References

MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1700
MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2020-02/msg00009.html
VENDOR_ADVISORYhttps://usn.ubuntu.com/4304-1/
MAILING_LISThttps://lists.debian.org/debian-lts-announce/2023/10/msg00034.html