{
  "threat_severity" : "Moderate",
  "public_date" : "2015-09-23T00:00:00Z",
  "bugzilla" : {
    "description" : "ceph: RGW permits bucket listing when authenticated_users=read",
    "id" : "1372446",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1372446"
  },
  "cvss" : {
    "cvss_base_score" : "4.9",
    "cvss_scoring_vector" : "AV:A/AC:M/Au:S/C:P/I:P/A:P",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.0",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "details" : [ "The RGW code in Ceph before 10.0.1, when authenticated-read ACL is applied to a bucket, allows remote attackers to list the bucket contents via a URL.", "A flaw was found in Ceph RGW code which allows an anonymous user to list contents of RGW bucket by bypassing ACL which should only allow authenticated users to list contents of bucket." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ceph Storage 1.3 for Red Hat Enterprise Linux 7",
    "release_date" : "2016-09-29T00:00:00Z",
    "advisory" : "RHSA-2016:1972",
    "cpe" : "cpe:/a:redhat:ceph_storage:1.3::el7",
    "package" : "calamari-server-0:1.3.3-2.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 1.3 for Red Hat Enterprise Linux 7",
    "release_date" : "2016-09-29T00:00:00Z",
    "advisory" : "RHSA-2016:1972",
    "cpe" : "cpe:/a:redhat:ceph_storage:1.3::el7",
    "package" : "ceph-1:0.94.9-3.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 1.3 for Red Hat Enterprise Linux 7",
    "release_date" : "2016-09-29T00:00:00Z",
    "advisory" : "RHSA-2016:1972",
    "cpe" : "cpe:/a:redhat:ceph_storage:1.3::el7",
    "package" : "ceph-deploy-0:1.5.36-1.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 1.3 for Red Hat Enterprise Linux 7",
    "release_date" : "2016-09-29T00:00:00Z",
    "advisory" : "RHSA-2016:1972",
    "cpe" : "cpe:/a:redhat:ceph_storage:1.3::el7",
    "package" : "radosgw-agent-0:1.2.7-1.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 1.3 for Ubuntu",
    "release_date" : "2016-09-29T00:00:00Z",
    "advisory" : "RHSA-2016:1973",
    "cpe" : "cpe:/a:redhat:ceph_storage:1.3::ubuntu:14.04"
  } ],
  "package_state" : [ {
    "product_name" : "OpenStack Foreman",
    "fix_state" : "Not affected",
    "package_name" : "Ceph",
    "cpe" : "cpe:/a:redhat:openstack-installer:5"
  }, {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Not affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)",
    "fix_state" : "Not affected",
    "package_name" : "Ceph",
    "cpe" : "cpe:/a:redhat:openstack:5::el6"
  }, {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)",
    "fix_state" : "Not affected",
    "package_name" : "Ceph",
    "cpe" : "cpe:/a:redhat:openstack:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 6 (Juno) Installer",
    "fix_state" : "Not affected",
    "package_name" : "Ceph",
    "cpe" : "cpe:/a:redhat:openstack-installer:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-7031\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-7031" ],
  "name" : "CVE-2016-7031",
  "csaw" : false
}