CVE-2014-0006
Swift: TempURL timing attack
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 through 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret URLs by leveraging an object name and a timing side-channel attack.
El middleware TempURL de OpenStack Object Storage (Swift) 1.4.6 hasta la versión 1.8.0, 1.9.0 hasta 1.10.0 y 1.11.0 permite a atacantes remotos obtener URLs secretas mediante el aprovechamiento de un nombre de objeto y un ataque de canal lateral basado en análisis de tiempo.
OpenStack Object Storage provides object storage in virtual containers, which allows users to store and retrieve files. The service's distributed architecture supports horizontal scaling; redundancy as failure-proofing is provided through software-based data replication. Because Object Storage supports asynchronous eventual consistency replication, it is well suited to multiple data-center deployment. A timing attack flaw was found in the way the swift TempURL middleware responded to arbitrary TempURL requests. An attacker with knowledge of an object's name could use this flaw to obtain a secret URL to this object, which was intended to be publicly shared only with specific recipients, if the object had the TempURL key set. Note that only setups using the TempURL middleware were affected.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-12-03 CVE Reserved
- 2014-01-23 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (5)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2014/01/17/5 | 2014-03-08 |
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2014-0232.html | 2014-03-08 | |
| https://bugs.launchpad.net/swift/+bug/1265665 | 2014-03-08 | |
| https://access.redhat.com/security/cve/CVE-2014-0006 | 2014-04-03 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1051670 | 2014-04-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.4.6 Search vendor "Openstack" for product "Swift" and version "1.4.6" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.4.7 Search vendor "Openstack" for product "Swift" and version "1.4.7" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.4.8 Search vendor "Openstack" for product "Swift" and version "1.4.8" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.5.0 Search vendor "Openstack" for product "Swift" and version "1.5.0" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.6.0 Search vendor "Openstack" for product "Swift" and version "1.6.0" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.7.0 Search vendor "Openstack" for product "Swift" and version "1.7.0" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.7.2 Search vendor "Openstack" for product "Swift" and version "1.7.2" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.7.4 Search vendor "Openstack" for product "Swift" and version "1.7.4" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.7.5 Search vendor "Openstack" for product "Swift" and version "1.7.5" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.7.6 Search vendor "Openstack" for product "Swift" and version "1.7.6" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.8.0 Search vendor "Openstack" for product "Swift" and version "1.8.0" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.9.0 Search vendor "Openstack" for product "Swift" and version "1.9.0" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.9.1 Search vendor "Openstack" for product "Swift" and version "1.9.1" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.9.2 Search vendor "Openstack" for product "Swift" and version "1.9.2" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.10.0 Search vendor "Openstack" for product "Swift" and version "1.10.0" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Swift Search vendor "Openstack" for product "Swift" | 1.11.0 Search vendor "Openstack" for product "Swift" and version "1.11.0" | - |
Affected
| ||||||