Add OSSA-2023-001 (CVE-2022-47950)
Change-Id: I07a10908a8d1ce314413f601c8f282cca0451cc1 Closes-Bug: #1998625
This commit is contained in:
parent
8e1ff97004
commit
0b14e1f02d
|
@ -0,0 +1,51 @@
|
||||||
|
date: 2023-01-17
|
||||||
|
|
||||||
|
id: OSSA-2023-001
|
||||||
|
|
||||||
|
title: Arbitrary file access through custom S3 XML entities
|
||||||
|
|
||||||
|
description: >
|
||||||
|
Sébastien Meriot (OVH) reported a vulnerability in Swift's S3 XML parser. By
|
||||||
|
supplying specially crafted XML files an authenticated user may coerce the S3
|
||||||
|
API into returning arbitrary file contents from the host server resulting in
|
||||||
|
unauthorized read access to potentially sensitive data; this impacts both
|
||||||
|
s3api deployments (Rocky or later), and swift3 deployments (Queens and
|
||||||
|
earlier, no longer actively developed). Only deployments with S3
|
||||||
|
compatibility enabled are affected.
|
||||||
|
|
||||||
|
affected-products:
|
||||||
|
- product: Swift
|
||||||
|
version: '<2.28.1, >=2.29.0 <2.29.2, ==2.30.0'
|
||||||
|
|
||||||
|
vulnerabilities:
|
||||||
|
- cve-id: CVE-2022-47950
|
||||||
|
|
||||||
|
reporters:
|
||||||
|
- name: Sébastien Meriot
|
||||||
|
affiliation: OVH
|
||||||
|
reported:
|
||||||
|
- CVE-2022-47950
|
||||||
|
|
||||||
|
issues:
|
||||||
|
links:
|
||||||
|
- https://launchpad.net/bugs/1998625
|
||||||
|
|
||||||
|
reviews:
|
||||||
|
2023.1/antelope:
|
||||||
|
- https://review.opendev.org/870823
|
||||||
|
|
||||||
|
zed:
|
||||||
|
- https://review.opendev.org/870825
|
||||||
|
|
||||||
|
yoga:
|
||||||
|
- https://review.opendev.org/870826
|
||||||
|
|
||||||
|
xena:
|
||||||
|
- https://review.opendev.org/870827
|
||||||
|
|
||||||
|
wallaby:
|
||||||
|
- https://review.opendev.org/870828
|
||||||
|
|
||||||
|
notes:
|
||||||
|
- The stable/wallaby branch is under extended maintenance and will receive no
|
||||||
|
new point releases, but a patch for it is provided as a courtesy.
|
Loading…
Reference in New Issue