[openstack-announce] [OSSA 2013-016] Unchecked user input in Swift XML responses (CVE-2013-2161)

Jeremy Stanley jeremy at openstack.org
Thu Jun 13 16:21:07 UTC 2013


OpenStack Security Advisory: 2013-016
CVE: CVE-2013-2161
Date: June 13, 2013
Title: Unchecked user input in Swift XML responses
Reporter: Alex Gaynor (Rackspace)
Products: Swift
Affects: All versions

Description:
Alex Gaynor from Rackspace reported a vulnerability in XML handling
within Swift account servers. Account strings were unescaped in XML
listings, and an attacker could potentially generate unparsable or
arbitrary XML responses which may be used to leverage other
vulnerabilities in the calling software.

Havana (development branch) fix:
https://review.openstack.org/32905

Grizzly fix:
https://review.openstack.org/32909

Folsom fix:
https://review.openstack.org/32911

Notes:
This fix will be included in the next release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2161
https://bugs.launchpad.net/swift/+bug/1183884

-- 
Jeremy Stanley (fungi)
OpenStack Vulnerability Management Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20130613/54565bc3/attachment.pgp>


More information about the OpenStack-announce mailing list