CVE-2020-27839: 
NixOS vulnerability analysis and mitigation

A security vulnerability was identified in the ceph-dashboard component where the JSON Web Token (JWT) used for user authentication was stored by the frontend application in the browser's localStorage, making it potentially vulnerable to XSS attacks. The vulnerability, tracked as CVE-2020-27839, was discovered and disclosed in May 2021, affecting multiple versions of Red Hat Ceph Storage (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue stems from storing sensitive authentication tokens in the browser's localStorage, which is accessible to JavaScript and therefore vulnerable to cross-site scripting (XSS) attacks. The vulnerability is classified under CWE-522 (Insufficiently Protected Credentials) (NVD).

The primary impact of this vulnerability affects data confidentiality and integrity. If exploited, attackers could potentially access and manipulate sensitive authentication tokens through XSS attacks, potentially leading to unauthorized access to the Ceph dashboard (Red Hat Bugzilla).

The recommended mitigation is to avoid storing sensitive data in HTML5 localStorage, even temporarily. Instead, use cookies with appropriate security flags (secure, HttpOnly, SameSite). The vulnerability has been fixed in ceph-dashboard versions 14.2.17 and 15.2.9. Users should upgrade to these or later versions (Red Hat Bugzilla).