CVSS: 7.7EPSS: 0%CPEs: 4EXPL: 1CVE-2022-47950 – openstack-swift: Arbitrary file access through custom S3 XML entities
https://notcve.org/view.php?id=CVE-2022-47950
18 Jan 2023 — An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed). Se descubrió un problema en OpenStack Swift anterior a 2.28.1, 2.29.x anterior a 2.29... • https://launchpad.net/bugs/1998625 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2017-8761
https://notcve.org/view.php?id=CVE-2017-8761
02 Jun 2021 — In OpenStack Swift through 2.10.1, 2.11.0 through 2.13.0, and 2.14.0, the proxy-server logs full tempurl paths, potentially leaking reusable tempurl signatures to anyone with read access to these logs. All Swift deployments using the tempurl middleware are affected. En OpenStack Swift versiones hasta 2.10.1, versiones 2.11.0 hasta 2.13.0 y la versión 2.14.0, el servidor proxy registra las rutas tempurl completas, potencialmente filtrando firmas tempurl reutilizables a cualquiera que tenga acceso a estos reg... • https://launchpad.net/bugs/1685798 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 3%CPEs: 3EXPL: 0CVE-2017-16613 – Debian Security Advisory 4044-1
https://notcve.org/view.php?id=CVE-2017-16613
21 Nov 2017 — An issue was discovered in middleware.py in OpenStack Swauth through 1.2.0 when used with OpenStack Swift through 2.15.1. The Swift object store and proxy server are saving (unhashed) tokens retrieved from the Swauth middleware authentication mechanism to a log file as part of a GET URI. This allows attackers to bypass authentication by inserting a token into an X-Auth-Token header of a new request. NOTE: github.com/openstack/swauth URLs do not mean that Swauth is maintained by an official OpenStack project... • http://www.securityfocus.com/bid/101926 • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2016-9590 – puppet-swift: installs config file with world readable permissions
https://notcve.org/view.php?id=CVE-2016-9590
27 Jan 2017 — puppet-swift before versions 8.2.1, 9.4.4 is vulnerable to an information-disclosure in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions. puppet-swift en versiones anteriores a la 8.2.1 y 9.4.4 es vulnerable a la divulgación de información en la instalación de Object Storage (swift) de Red Hat OpenStack Platform... • http://rhn.redhat.com/errata/RHSA-2017-0200.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 5%CPEs: 1EXPL: 0CVE-2016-0737 – openstack-swift: Client to proxy DoS through Large Objects
https://notcve.org/view.php?id=CVE-2016-0737
29 Jan 2016 — OpenStack Object Storage (Swift) before 2.4.0 does not properly close client connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL. OpenStack Object Storage (Swift) en versiones anteriores a 2.4.0 no cierra correctamente las conexionen del cliente, lo que permite a atacantes remotos causar una denegación de servicio (consumo de recursos del servidor proxy) a través de una serie de peticiones inte... • http://rhn.redhat.com/errata/RHSA-2016-0128.html • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 5%CPEs: 3EXPL: 0CVE-2016-0738 – openstack-swift: Proxy to server DoS through Large Objects
https://notcve.org/view.php?id=CVE-2016-0738
29 Jan 2016 — OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x before 2.5.1 (Liberty) do not properly close server connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL. OpenStack Object Storage (Swift) en versiones anteriores a 2.3.1 (Kilo), 2.4.x y 2.5.x en versiones anteriores a 2.5.1 (Liberty) no cierra correctamente las conexiones de servidor, lo que permite a atacantes remotos causa... • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176713.html • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 0CVE-2015-5223 – openstack-swift: Information leak via Swift tempurls
https://notcve.org/view.php?id=CVE-2015-5223
16 Oct 2015 — OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obtain sensitive information via a PUT tempurl and a DLO object manifest that references an object in another container. OpenStack Object Storage (Swift) en versiones anteriores a 2.4.0 permite a atacantes obtener información sensible a través de un PUT tempurl y un manifiesto de objeto DLO que hace referencia a un objeto en otro contenedor. A flaw was discovered in the OpenStack Object Storage service (swift) TempURLs. An attacker in possess... • http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00025.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2015-1856 – Swift: unauthorized deletion of versioned Swift object
https://notcve.org/view.php?id=CVE-2015-1856
17 Apr 2015 — OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container. OpenStack Object Storage (Swift) anterior a 2.3.0, cuando allow_version está configurado, permite a usuarios remotos autenticados eliminar la última versión de un objeto mediante el aprovechamiento del acceso listado al contenedor de la localización de versiones x. A flaw was found in Op... • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163113.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-7960 – openstack-swift: Swift metadata constraints are not correctly enforced
https://notcve.org/view.php?id=CVE-2014-7960
17 Oct 2014 — OpenStack Object Storage (Swift) before 2.2.0 allows remote authenticated users to bypass the max_meta_count and other metadata constraints via multiple crafted requests which exceed the limit when combined. OpenStack Object Storage (Swift) anterior a 2.2.0 permite a usuarios remotos autenticados evadir las restricciones max_meta_count y otros metadatos a través de múlitples peticiones manipuladas que exceden el límite cuando éstas se combinan. A flaw was found in the metadata constraints in OpenStack Objec... • http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00025.html • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2014-3497 – openstack-swift: XSS in Swift requests through WWW-Authenticate header
https://notcve.org/view.php?id=CVE-2014-3497
25 Jun 2014 — Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header. Vulnerabilidad de XSS en OpenStack Swift 1.11.0 hasta 1.13.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la cabecera WWW-Authenticate. It was found that Swift did not escape all HTTP header values, allowing data to be injected into the responses sent from the Swift server. This coul... • http://lists.openstack.org/pipermail/openstack-announce/2014-June/000243.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •