OSSA-2014-020: XSS in Swift requests through WWW-Authenticate header

OSSA-2014-020: XSS in Swift requests through WWW-Authenticate header¶

Date:: June 19, 2014
CVE:: CVE-2014-3497

Affects¶

Swift: 1.11.0 to 1.13.1

Description¶

Globo.com Security Team reported a vulnerability in Swift’s header value escaping. By tricking a Swift user into clicking a malicious URL, a remote attacker may inject data in Swift response while still appearing to come from the Swift server, potentially leading to other client-side vulnerabilities. All Swift setups are affected.

Patches¶

https://review.openstack.org/#/c/101032 (Icehouse)
https://review.openstack.org/#/c/101031 (Juno)

Credits¶

Globo.com Security Team from Globo.com (CVE-2014-3497)

References¶

this page last updated: 2024-03-18 15:52:07

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.