Hello all, We have a vulnerability to report for Ceph. Summary ======= A flaw was found in Ceph. An attacker can allow Ceph to accept any certificate because no certificate context is passed via Pybind to the constructors imaplib.IMAP4_SSL or smtplib.SMTP_SSL. As a result, pybind pybind does not check the server's X.509
certificate, instead accepting any certificate. This enables an attacker to commit a Man In the Middle (MITM) attack, compromising mail server credentials or mail contents Our Advisory: https://github.com/ceph/ceph/security/advisories/GHSA-xj9f-7g59-m4jx CVSS and CWE ============ We have assigned it a CVE of CVE-2024-31884 with a CVSS score of 6.5 aka CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N and a CWE of CWE-295 AKA Improper Certificate Validation Credits ====== Credits to: Martin Schobert Fixed in ====== IBM Storage Ceph 9.0 (To GA on Friday, 1/23/26) Fixed via following PRs in upstream with targeted releases. #66089 <https://github.com/ceph/ceph/pull/66089> 20.2.1 #66140 <https://github.com/ceph/ceph/pull/66140> 19.2.4 #66141 <https://github.com/ceph/ceph/pull/66141> 18.2.9 #66142 <https://github.com/ceph/ceph/pull/66142> Sage McTaggart IBM Product Security [email protected] [email protected]
