OSSA-2015-016: Information leak via Swift tempurls¶
August 26, 2015
Swift: versions through 2.3.0
Richard Hawkins from Rackspace and Swift core reviewers reported a vulnerability in Swift tempurls. When in possession of a tempurl key authorized for PUT, a malicious actor may retrieve other objects in the same Swift account (tenant). All Swift setups are affected.
Richard Hawkins from Rackspace (CVE-2015-5223)
Swift core reviewers from OpenStack (CVE-2015-5223)
This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo) releases.