CVE-2024-48916 in Ceph
Summary
by MITRE • 07/30/2025
Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/31/2025
The vulnerability described in CVE-2024-48916 represents a critical authentication bypass flaw within the Ceph distributed storage platform, specifically affecting versions 19.2.3 and earlier. This issue resides within the RadosGW OIDC (OpenID Connect) provider component, which serves as the identity management interface for Ceph's object storage capabilities. The vulnerability stems from insufficient validation of JSON Web Token (JWT) algorithms, allowing malicious actors to exploit a weakness in the token verification process by submitting tokens with the "none" algorithm designation. This particular algorithm specification effectively disables signature verification, creating a fundamental security loophole that undermines the entire authentication mechanism.
The technical flaw manifests when the RadosGW OIDC provider fails to properly validate the JWT algorithm field, permitting tokens configured with the "none" algorithm to bypass signature verification entirely. This misconfiguration allows attackers to forge authentication tokens without possessing the legitimate signing keys, effectively granting unauthorized access to the storage system. The vulnerability directly maps to CWE-347 - Improper Verification of Cryptographic Signature, which specifically addresses weaknesses in cryptographic verification processes that permit forged or tampered signatures to be accepted as valid. The issue demonstrates a classic case of insecure cryptographic implementation where the system accepts tokens without proper validation of their integrity mechanisms.
Operationally, this vulnerability presents a severe risk to organizations relying on Ceph for their storage infrastructure, as it enables unauthorized users to gain access to sensitive data stored within the distributed object, block, and file storage platform. Attackers could exploit this weakness to perform read, write, and delete operations on stored objects, potentially leading to data exfiltration, data corruption, or complete system compromise. The impact extends beyond simple unauthorized access, as the vulnerability could enable lateral movement within the storage infrastructure and provide attackers with persistent access to valuable enterprise data. This authentication bypass represents a critical weakness that could be leveraged as a stepping stone for more extensive attacks against the broader enterprise environment.
Organizations should immediately implement mitigations including upgrading to patched versions of Ceph as soon as they become available, which will address the JWT algorithm validation issue within the RadosGW OIDC provider. System administrators should also consider implementing additional monitoring and logging mechanisms to detect suspicious authentication patterns and unauthorized access attempts. The vulnerability highlights the importance of proper cryptographic protocol implementation and validation, aligning with ATT&CK technique T1566.002 - Phishing: Spearphishing Attachment, as attackers may use forged tokens to gain initial access to storage systems. Organizations should also review their authentication policies and ensure that all JWT implementations properly validate algorithm specifications and enforce signature verification to prevent similar vulnerabilities from occurring in other components of their storage infrastructure.