OSSA-2015-016: Information leak via Swift tempurls

OSSA-2015-016: Information leak via Swift tempurls

Date:August 26, 2015
CVE:CVE-2015-5223

Affects

  • Swift: versions through 2.3.0

Description

Richard Hawkins from Rackspace and Swift core reviewers reported a vulnerability in Swift tempurls. When in possession of a tempurl key authorized for PUT, a malicious actor may retrieve other objects in the same Swift account (tenant). All Swift setups are affected.

Credits

  • Richard Hawkins from Rackspace (CVE-2015-5223)
  • Swift core reviewers from OpenStack (CVE-2015-5223)

Notes

  • This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo) releases.
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.