[openstack-announce] [OSSA 2014-020] XSS in Swift requests through WWW-Authenticate header (CVE-2014-3497)

Tristan Cacqueray tristan.cacqueray at enovance.com
Thu Jun 19 13:07:59 UTC 2014

OpenStack Security Advisory: 2014-020
CVE: CVE-2014-3497
Date: June 19, 2014
Title: XSS in Swift requests through WWW-Authenticate header
Reporter: Globo.com Security Team
Products: Swift
Versions: 1.11.0 to 1.13.1

Globo.com Security Team reported a vulnerability in Swift's header value
escaping. By tricking a Swift user into clicking a malicious URL, a
remote attacker may inject data in Swift response while still appearing
to come from the Swift server, potentially leading to other client-side
vulnerabilities. All Swift setups are affected.

Juno (development branch) fix:

Icehouse (1.13.*) fix:

This fix will be included in the upcoming 2.0.0 release.


Tristan Cacqueray
OpenStack Vulnerability Management Team

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140619/42ea6316/attachment.pgp>

More information about the OpenStack-announce mailing list