[openstack-announce] [OSSA 2014-020] XSS in Swift requests through WWW-Authenticate header (CVE-2014-3497)

Tristan Cacqueray tristan.cacqueray at enovance.com
Thu Jun 19 13:07:59 UTC 2014


OpenStack Security Advisory: 2014-020
CVE: CVE-2014-3497
Date: June 19, 2014
Title: XSS in Swift requests through WWW-Authenticate header
Reporter: Globo.com Security Team
Products: Swift
Versions: 1.11.0 to 1.13.1

Description:
Globo.com Security Team reported a vulnerability in Swift's header value
escaping. By tricking a Swift user into clicking a malicious URL, a
remote attacker may inject data in Swift response while still appearing
to come from the Swift server, potentially leading to other client-side
vulnerabilities. All Swift setups are affected.

Juno (development branch) fix:
https://review.openstack.org/101031

Icehouse (1.13.*) fix:
https://review.openstack.org/101032

Notes:
This fix will be included in the upcoming 2.0.0 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3497
https://launchpad.net/bugs/1327414

--·
Tristan Cacqueray
OpenStack Vulnerability Management Team





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140619/42ea6316/attachment.pgp>


More information about the OpenStack-announce mailing list