CVE-2021-3524 in Ceph Storage RadosGW
Summary
by MITRE • 05/17/2021
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \r as a header separator, thus a new flaw has been created.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/22/2025
The vulnerability identified as CVE-2021-3524 affects Red Hat Ceph Storage RadosGW components prior to version 14.2.21, representing a critical header injection flaw within the object storage gateway's cross-origin resource sharing implementation. This issue stems from improper input validation in the CORS configuration handling mechanism where the ExposeHeader tag fails to properly sanitize newline characters that can be injected by malicious actors. The flaw specifically manifests when the CORS configuration file contains a newline character within the ExposeHeader parameter, enabling attackers to inject arbitrary HTTP headers into the response sent by the RadosGW service. This vulnerability represents a direct violation of the principle of input validation and proper header sanitization that should be enforced at all levels of web application security.
The technical exploitation of this vulnerability occurs through crafted CORS requests that leverage the newline character injection capability within the ExposeHeader configuration field. When a maliciously crafted request is processed, the newline character allows attackers to append additional HTTP headers to the response, potentially enabling various attack vectors including cache poisoning, cross-site scripting injection, or manipulation of response headers that could be used for further exploitation. The flaw demonstrates a classic case of HTTP header injection vulnerability, which maps directly to CWE-113 - Improper Neutralization of CRLF Characters in HTTP Headers and CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component. The root cause analysis reveals that the security fix implemented for CVE-2020-10753 was incomplete, as it failed to account for the specific use of carriage return characters as header separators, creating a regression that allowed the new vulnerability to persist.
The operational impact of CVE-2021-3524 extends beyond simple header injection, as it creates potential pathways for more sophisticated attacks within the Ceph storage environment. Attackers could leverage this vulnerability to manipulate response headers in ways that might bypass security controls, potentially leading to information disclosure or service disruption. The vulnerability affects the integrity of HTTP responses generated by the RadosGW service, which could compromise the security posture of organizations relying on Ceph for object storage solutions. Given that RadosGW serves as a gateway between object storage systems and web applications, this vulnerability could enable attackers to manipulate how applications interact with the storage backend, potentially allowing for unauthorized data access or modification. The flaw also represents a significant concern for environments where strict security controls are required, as the header injection capability could be used to circumvent security mechanisms implemented at the application layer.
Organizations using affected versions of Red Hat Ceph Storage should implement immediate mitigation strategies including upgrading to version 14.2.21 or later, which contains the necessary patches to address the header injection vulnerability. Additionally, administrators should review and validate all CORS configuration files to ensure that no newline characters are present in ExposeHeader parameters, implementing strict input validation controls at the configuration level. The vulnerability aligns with ATT&CK technique T1190 - Exploit Public-Facing Application, as it represents an attack vector that targets publicly accessible web services, and T1071.004 - Application Layer Protocol: DNS, since the header manipulation could potentially be used to establish covert communication channels. Security monitoring should be enhanced to detect unusual header injection patterns in CORS responses, and network segmentation should be considered to limit the potential impact of exploitation. Organizations should also conduct comprehensive security assessments of their Ceph storage deployments to identify any additional configuration vulnerabilities that could be exploited in conjunction with this header injection flaw.