CVE-2014-8177 – gluster-swift metadata constraints are not correctly enforced
https://notcve.org/view.php?id=CVE-2014-8177
The Red Hat gluster-swift package, as used in Red Hat Gluster Storage (formerly Red Hat Storage Server), allows remote authenticated users to bypass the max_meta_count constraint via multiple crafted requests which exceed the limit when combined. El paquete gluster-swift de Red Hat, tal como se utiliza en Red Hat Gluster Storage (anteriormente Red Hat Storage Server), permite a usuarios remotos autenticados eludir la restricción max_meta_count a través de múltiples peticiones manipuladas que exceden el límite cuando se combinan. A flaw was found in the metadata constraints in Red Hat Gluster Storage's OpenStack Object Storage (swiftonfile). By adding metadata in several separate calls, a malicious user could bypass the max_meta_count constraint, and store more metadata than allowed by the configuration. • http://rhn.redhat.com/errata/RHSA-2015-1845.html http://rhn.redhat.com/errata/RHSA-2015-1846.html http://www.openwall.com/lists/oss-security/2015/08/27/5 https://bugzilla.redhat.com/show_bug.cgi?id=1257525 https://access.redhat.com/security/cve/CVE-2014-8177 • CWE-284: Improper Access Control •
CVE-2012-4406 – Openstack-Swift: insecure use of python pickle()
https://notcve.org/view.php?id=CVE-2012-4406
OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object. OpenStack Object Storage (swift) antes de v1.7.0 utiliza la función loads en el módulo pickle de Python de forma no segura al almacenar y cargar los metadatos en memcached, lo que permite a atacantes remotos ejecutar código arbitrario a través de un objeto pickle modificado. • http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089472.html http://rhn.redhat.com/errata/RHSA-2012-1379.html http://rhn.redhat.com/errata/RHSA-2013-0691.html http://www.openwall.com/lists/oss-security/2012/09/05/16 http://www.openwall.com/lists/oss-security/2012/09/05/4 http://www.securityfocus.com/bid/55420 https://bugs.launchpad.net/swift/+bug/1006414 https://bugzilla.redhat.com/show_bug.cgi?id=854757 https://exchange.xforce.ibmcloud.com/ • CWE-502: Deserialization of Untrusted Data •