### Vulnerability Key Information - **CVE IDs**: - CVE-2019-10222, CVE-2020-1700, CVE-2020-1760, CVE-2020-10753, CVE-2020-12059, CVE-2020-25678, CVE-2020-27781, CVE-2021-3524, CVE-2021-3531, CVE-2021-3979, CVE-2021-20288, CVE-2023-43040 - **Affected Component**: Ceph - **Vulnerability Types**: - _CVE-2019-10222_: Unauthenticated attacker can send valid HTTP headers causing Ceph RGW server crash; - _CVE-2020-1700_: Improper handling of Ceph RGW Beast frontend after authentication leads to resource exhaustion; - _CVE-2020-1760_: Improper handling of Amazon S3 anonymous requests, vulnerable to XSS attacks; - _CVE-2020-10753_: CORS configuration in Amazon S3 buckets exposes HTTP Header injection vulnerability; - _CVE-2020-12059_: POST request with invalid tags causes Ceph RGW process crash; - _CVE-2020-25678_: Ceph's mgr module stores passwords in plaintext, leading to information leakage; - _CVE-2020-27781_: OpenStack Manila users may manipulate CephFS authentication, leading to privilege escalation; - _CVE-2021-3524_: CORS in Ceph S3 buckets exposes HTTP Header injection vulnerability; - _CVE-2021-3531_: Double-slash URLs cause RGW crash; - _CVE-2021-3979_: Key length issue in Ceph storage leads to key leakage; - _CVE-2021-20288_: POST request containing specific `bucket` key-value allows writing to buckets outside permission scope; - _CVE-2023-43040_: Permission control vulnerability in Ceph RGW for anonymous POST requests. - **Patch Update**: Debian 10 buster has been fixed to version `12.2.11+dfsg1-2.1+deb10u1`. Upgrade is recommended. - **Security Recommendation**: Strongly recommend updating Ceph packages; refer to the detailed security status page for more information.