CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5223 – openstack-swift: Information leak via Swift tempurls
https://notcve.org/view.php?id=CVE-2015-5223
OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obtain sensitive information via a PUT tempurl and a DLO object manifest that references an object in another container. OpenStack Object Storage (Swift) en versiones anteriores a 2.4.0 permite a atacantes obtener información sensible a través de un PUT tempurl y un manifiesto de objeto DLO que hace referencia a un objeto en otro contenedor. A flaw was discovered in the OpenStack Object Storage service (swift) TempURLs. An attacker in possession of a TempURL key with PUT permissions could gain read access to other objects in the same project (tenant). • http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00025.html http://rhn.redhat.com/errata/RHSA-2015-1895.html http://rhn.redhat.com/errata/RHSA-2016-0329.html http://www.openwall.com/lists/oss-security/2015/08/26/5 http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securityfocus.com/bid/84827 https://bugs.launchpad.net/swift/+bug/1449212 https://bugs.launchpad.net/swift/+bug/1453948 https://security.openstack.org/ossa/ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2015-1856 – Swift: unauthorized deletion of versioned Swift object
https://notcve.org/view.php?id=CVE-2015-1856
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container. OpenStack Object Storage (Swift) anterior a 2.3.0, cuando allow_version está configurado, permite a usuarios remotos autenticados eliminar la última versión de un objeto mediante el aprovechamiento del acceso listado al contenedor de la localización de versiones x. A flaw was found in OpenStack Object Storage that could allow an authenticated user to delete the most recent version of a versioned object regardless of ownership. To exploit this flaw, an attacker must know the name of the object and have listing access to the x-versions-location container. • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163113.html http://lists.openstack.org/pipermail/openstack-announce/2015-April/000349.html http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00025.html http://rhn.redhat.com/errata/RHSA-2015-1681.html http://rhn.redhat.com/errata/RHSA-2015-1684.html http://rhn.redhat.com/errata/RHSA-2015-1845.html http://rhn.redhat.com/errata/RHSA-2015-1846.html http://www.oracle.com/technetwork/topics/security/bulletinapr • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-7960 – openstack-swift: Swift metadata constraints are not correctly enforced
https://notcve.org/view.php?id=CVE-2014-7960
OpenStack Object Storage (Swift) before 2.2.0 allows remote authenticated users to bypass the max_meta_count and other metadata constraints via multiple crafted requests which exceed the limit when combined. OpenStack Object Storage (Swift) anterior a 2.2.0 permite a usuarios remotos autenticados evadir las restricciones max_meta_count y otros metadatos a través de múlitples peticiones manipuladas que exceden el límite cuando éstas se combinan. A flaw was found in the metadata constraints in OpenStack Object Storage (swift). By adding metadata in several separate calls, a malicious user could bypass the max_meta_count constraint, and store more metadata than allowed by the configuration. • http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00025.html http://rhn.redhat.com/errata/RHSA-2015-0835.html http://rhn.redhat.com/errata/RHSA-2015-0836.html http://rhn.redhat.com/errata/RHSA-2015-1495.html http://www.openwall.com/lists/oss-security/2014/10/07/39 http://www.openwall.com/lists/oss-security/2014/10/08/7 http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html http://www.securityfocus.com/bid/70279 http://www.ubuntu& • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.8EPSS: 0%CPEs: 34EXPL: 0CVE-2013-6396
https://notcve.org/view.php?id=CVE-2013-6396
The OpenStack Python client library for Swift (python-swiftclient) 1.0 through 1.9.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. La librería del cliente Python de OpenStack para Swift (python-swiftclient) 1.0 hasta 1.9.0 no verifica los certificados X.509 provenientes de los servidores SSL, lo que permite a atacantes man-in-the-middle falsificar servidores y obtener información sensible a través de un certificado manipulado. • http://www.openwall.com/lists/oss-security/2014/02/17/7 https://bugs.launchpad.net/python-swiftclient/+bug/1199783 • CWE-310: Cryptographic Issues •
CVSS: 4.3EPSS: 0%CPEs: 16EXPL: 0CVE-2014-0006 – Swift: TempURL timing attack
https://notcve.org/view.php?id=CVE-2014-0006
The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 through 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret URLs by leveraging an object name and a timing side-channel attack. El middleware TempURL de OpenStack Object Storage (Swift) 1.4.6 hasta la versión 1.8.0, 1.9.0 hasta 1.10.0 y 1.11.0 permite a atacantes remotos obtener URLs secretas mediante el aprovechamiento de un nombre de objeto y un ataque de canal lateral basado en análisis de tiempo. • http://rhn.redhat.com/errata/RHSA-2014-0232.html http://www.openwall.com/lists/oss-security/2014/01/17/5 https://bugs.launchpad.net/swift/+bug/1265665 https://access.redhat.com/security/cve/CVE-2014-0006 https://bugzilla.redhat.com/show_bug.cgi?id=1051670 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •