{"id":"CVE-2017-16818","details":"RADOS Gateway in Ceph 12.1.0 through 12.2.1 allows remote authenticated users to cause a denial of service (assertion failure and application exit) by leveraging \"full\" (not necessarily admin) privileges to post an invalid profile to the admin API, related to rgw/rgw_iam_policy.cc, rgw/rgw_basic_types.h, and rgw/rgw_iam_types.h.","modified":"2026-04-11T04:14:24.479096Z","published":"2017-12-20T17:29:00.307Z","related":["SUSE-SU-2018:1417-1","openSUSE-SU-2024:10676-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6VJA32U7HKGDRJQDJVM7JBYWD4T7BJL/"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1515872"},{"type":"FIX","url":"https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ceph/ceph","events":[{"introduced":"262617c9f16c55e863693258061c5b25dea5b086"},{"last_affected":"3e7492b9ada8bdc9a5cd0feafd42fbca27f9c38e"},{"fixed":"b3118cabb8060a8cc6a01c4e8264cb18e7b1745a"}],"database_specific":{"versions":[{"introduced":"12.1.0"},{"last_affected":"12.2.1"}]}}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"27"}]}],"vanir_signatures_modified":"2026-04-11T04:14:24Z","vanir_signatures":[{"signature_type":"Function","digest":{"function_hash":"245246725697601185311032149079313535321","length":274},"target":{"file":"src/rgw/rgw_iam_policy.h","function":"operator=="},"signature_version":"v1","deprecated":false,"id":"CVE-2017-16818-30bd2bc3","source":"https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a"},{"signature_type":"Function","digest":{"function_hash":"115161449127231675261430366954408280182","length":926},"target":{"file":"src/rgw/rgw_iam_policy.cc","function":"ARN::parse"},"signature_version":"v1","deprecated":false,"id":"CVE-2017-16818-5f445548","source":"https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a"},{"signature_type":"Function","digest":{"function_hash":"257482042080645969492123703118703426118","length":2539},"target":{"file":"src/rgw/rgw_iam_policy.cc","function":"ParseState::do_string"},"signature_version":"v1","deprecated":false,"id":"CVE-2017-16818-70864511","source":"https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a"},{"signature_type":"Line","digest":{"line_hashes":["146145906752634540765313682605904988138","300545227044232187076135171329259401824","145011432026609021673112281975242102194","231664225983526129193949534530516570064","146682534350213711813353585981002858679","62277682888744214168149015023599555062","328177316986085832359139961185472411234","66482142488496603589659657098125732273","39312891323187369387300176737792469922","40826309220214274116634076047149073606","118751806751612369416559625475932901054","258821612251577066988696007686083167783"],"threshold":0.9},"target":{"file":"src/rgw/rgw_iam_policy.cc"},"signature_version":"v1","deprecated":false,"id":"CVE-2017-16818-76727305","source":"https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a"},{"signature_type":"Line","digest":{"line_hashes":["262402367343668608787404694791606852720","110205377371365338977776300723008737532","39610461779683595816889888868354529606","60774082359558696122818771212887963030","226592563938730496251934863330508562181","179846860202622419236940311083345258046","295099565652544353016977010409645460648","110617345758211664006391627539065259271"],"threshold":0.9},"target":{"file":"src/rgw/rgw_basic_types.h"},"signature_version":"v1","deprecated":false,"id":"CVE-2017-16818-95488bf6","source":"https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a"},{"signature_type":"Line","digest":{"line_hashes":["158372427781552240449030411950100469388","217265026761735695146967871697150612868","92137989353602834373249921628343339134","81822642096930447496935148381769194615","320868456820248850273105975750870608543","86899982706742950213335928089327466616","315941269892209884636900773922698834142","56663838429212522112385059210345181007"],"threshold":0.9},"target":{"file":"src/rgw/rgw_iam_policy.h"},"signature_version":"v1","deprecated":false,"id":"CVE-2017-16818-d606a597","source":"https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a"},{"signature_type":"Function","digest":{"function_hash":"114230751954890269775029335187701073562","length":1134},"target":{"file":"src/rgw/rgw_iam_policy.cc","function":"parse_principal"},"signature_version":"v1","deprecated":false,"id":"CVE-2017-16818-f32b202f","source":"https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16818.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}