Unauthorized Access to RGW for Ceph in Spectrum Fusion HCI 2.5.2-2.7.2
CVE-2023-43040

6.5MEDIUM

Key Information:

Vendor: IBM
Status: Spectrum Fusion Hci
Vendor: CVE Published:; 14 May 2024

Badges

👾 Exploit Exists

Summary

IBM Spectrum Fusion HCI versions 2.5.2 through 2.7.2 are susceptible to a vulnerability that could enable an attacker to perform unauthorized actions within the RGW for Ceph. This issue arises from improper access controls related to bucket management. Organizations utilizing these versions are advised to review their configurations and implement security measures to mitigate the risk of exploitation. Reference IBM's advisory for further details.

Affected Version(s)

Spectrum Fusion HCI 2.5.2 <= 2.7.2

References

https://www.ibm.com/support/pages/node/7151040

vendor-advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/266807

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jul 30, 2024
👾
Exploit known to exist
Jul 30, 2024
Vulnerability published
May 14, 2024
Vulnerability Reserved
Sep 15, 2023

Credit

Josh Baergen, Lucas Henry, and Michael Steger - Digital Ocean