Add OSSA-2023-001 (CVE-2022-47950)
Change-Id: I07a10908a8d1ce314413f601c8f282cca0451cc1 Closes-Bug: #1998625
This commit is contained in:
parent
8e1ff97004
commit
0b14e1f02d
|
@ -0,0 +1,51 @@
|
|||
date: 2023-01-17
|
||||
|
||||
id: OSSA-2023-001
|
||||
|
||||
title: Arbitrary file access through custom S3 XML entities
|
||||
|
||||
description: >
|
||||
Sébastien Meriot (OVH) reported a vulnerability in Swift's S3 XML parser. By
|
||||
supplying specially crafted XML files an authenticated user may coerce the S3
|
||||
API into returning arbitrary file contents from the host server resulting in
|
||||
unauthorized read access to potentially sensitive data; this impacts both
|
||||
s3api deployments (Rocky or later), and swift3 deployments (Queens and
|
||||
earlier, no longer actively developed). Only deployments with S3
|
||||
compatibility enabled are affected.
|
||||
|
||||
affected-products:
|
||||
- product: Swift
|
||||
version: '<2.28.1, >=2.29.0 <2.29.2, ==2.30.0'
|
||||
|
||||
vulnerabilities:
|
||||
- cve-id: CVE-2022-47950
|
||||
|
||||
reporters:
|
||||
- name: Sébastien Meriot
|
||||
affiliation: OVH
|
||||
reported:
|
||||
- CVE-2022-47950
|
||||
|
||||
issues:
|
||||
links:
|
||||
- https://launchpad.net/bugs/1998625
|
||||
|
||||
reviews:
|
||||
2023.1/antelope:
|
||||
- https://review.opendev.org/870823
|
||||
|
||||
zed:
|
||||
- https://review.opendev.org/870825
|
||||
|
||||
yoga:
|
||||
- https://review.opendev.org/870826
|
||||
|
||||
xena:
|
||||
- https://review.opendev.org/870827
|
||||
|
||||
wallaby:
|
||||
- https://review.opendev.org/870828
|
||||
|
||||
notes:
|
||||
- The stable/wallaby branch is under extended maintenance and will receive no
|
||||
new point releases, but a patch for it is provided as a courtesy.
|
Loading…
Reference in New Issue