OSSA-2015-006: Unauthorized delete of versioned Swift object

OSSA-2015-006: Unauthorized delete of versioned Swift object

Date:April 14, 2015
CVE:CVE-2015-1856

Affects

  • Swift: versions through 2.2.2

Description

Clay Gerrard from SwiftStack reported a vulnerability in Swift object versioning. An authenticated user can delete the most recent version of any versioned object whose name is known if the user have listing access to the x-versions-location container. Only Swift setups with allow_version setting are affected.

Credits

  • Clay Gerrard from SwiftStack (CVE-2015-1856)

Notes

  • This fix will be included in the upcoming 2.3.0 release.
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.