OSSA-2015-016: Information leak via Swift tempurls

Date:

August 26, 2015

CVE:

CVE-2015-5223

Affects

  • Swift: versions through 2.3.0

Description

Richard Hawkins from Rackspace and Swift core reviewers reported a vulnerability in Swift tempurls. When in possession of a tempurl key authorized for PUT, a malicious actor may retrieve other objects in the same Swift account (tenant). All Swift setups are affected.

Patches

Credits

  • Richard Hawkins from Rackspace (CVE-2015-5223)

  • Swift core reviewers from OpenStack (CVE-2015-5223)

References

Notes

  • This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo) releases.