Source: ceph Version: 18.2.7-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for ceph. CVE-2025-52555[0]: | Ceph is a distributed object, block, and file storage platform. In | versions 17.2.7, 18.2.1 through 18.2.4, and 19.0.0 through 19.2.2, | an unprivileged user can escalate to root privileges in a ceph-fuse | mounted CephFS by chmod 777 a directory owned by root to gain | access. The result of this is that a user could read, write and | execute to any directory owned by root as long as they chmod 777 it. | This impacts confidentiality, integrity, and availability. It is | patched in versions 17.2.8, 18.2.5, and 19.2.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-52555 https://www.cve.org/CVERecord?id=CVE-2025-52555 [1] https://bugzilla.redhat.com/show_bug.cgi?id=2374412 [2] https://www.openwall.com/lists/oss-security/2025/06/26/1 [3] https://github.com/ceph/ceph/pull/60314 [4] https://github.com/ceph/ceph/security/advisories/GHSA-89hm-qq33-2fjm Please adjust the affected versions in the BTS as needed. Regards, Salvatore
