ceph is vulnerable to information disclosure attacks. The vulnerability exists as the RGW code in Ceph before 10.0.1, when authenticated-read ACL is applied to a bucket, allows remote attackers to list the bucket contents via a URL.
access.redhat.com/documentation/en/red-hat-ceph-storage/1.3.3/single/release-notes/
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1193710
bugzilla.redhat.com/show_bug.cgi?id=1273127
bugzilla.redhat.com/show_bug.cgi?id=1278524
bugzilla.redhat.com/show_bug.cgi?id=1284696
bugzilla.redhat.com/show_bug.cgi?id=1291632
bugzilla.redhat.com/show_bug.cgi?id=1299409
bugzilla.redhat.com/show_bug.cgi?id=1301706
bugzilla.redhat.com/show_bug.cgi?id=1302721
bugzilla.redhat.com/show_bug.cgi?id=1304533
bugzilla.redhat.com/show_bug.cgi?id=1306842
bugzilla.redhat.com/show_bug.cgi?id=1312587
bugzilla.redhat.com/show_bug.cgi?id=1316268
bugzilla.redhat.com/show_bug.cgi?id=1316287
bugzilla.redhat.com/show_bug.cgi?id=1317427
bugzilla.redhat.com/show_bug.cgi?id=1330279
bugzilla.redhat.com/show_bug.cgi?id=1330643
bugzilla.redhat.com/show_bug.cgi?id=1331523
bugzilla.redhat.com/show_bug.cgi?id=1331764
bugzilla.redhat.com/show_bug.cgi?id=1332470
bugzilla.redhat.com/show_bug.cgi?id=1333907
bugzilla.redhat.com/show_bug.cgi?id=1334534
bugzilla.redhat.com/show_bug.cgi?id=1335269
bugzilla.redhat.com/show_bug.cgi?id=1344134
bugzilla.redhat.com/show_bug.cgi?id=1347010
bugzilla.redhat.com/show_bug.cgi?id=1349484
bugzilla.redhat.com/show_bug.cgi?id=1360444
bugzilla.redhat.com/show_bug.cgi?id=1360467
bugzilla.redhat.com/show_bug.cgi?id=1368402
bugzilla.redhat.com/show_bug.cgi?id=1369013
rhn.redhat.com/errata/RHSA-2016-1972.html