Red Hat OpenStack Platform 15 (RHOSP) packages Ceph but no longer uses it, instead pulling ceph directly from the Red Hat Ceph Storage 4 repository. For this reason, RHOSP will not be updated for this flaw.
This issue affects the versions of ceph as shipped with Red Hat Ceph Storage 3, 4 and Red Hat Openshift Container Storage 4.2 as it allows unauthenticated requests sent by an anonymous user for Amazon S3.
In Amazon S3, a flaw in the Ceph Object Gateway supports unauthenticated requests (for a few operations) sent by an anonymous user. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.