OpenStack Security Advisory: 2014-020 CVE: CVE-2014-3497 Date: June 19, 2014 Title: XSS in Swift requests through WWW-Authenticate header Reporter: Globo.com Security Team Products: Swift Versions: 1.11.0 to 1.13.1 Description: Globo.com Security Team reported a vulnerability in Swift's header value escaping. By tricking a Swift user into clicking a malicious URL, a remote attacker may inject data in Swift response while still appearing to come from the Swift server, potentially leading to other client-side vulnerabilities. All Swift setups are affected. Juno (development branch) fix: https://review.openstack.org/101031 Icehouse (1.13.*) fix: https://review.openstack.org/101032 Notes: This fix will be included in the upcoming 2.0.0 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3497 https://launchpad.net/bugs/1327414 --· Tristan Cacqueray OpenStack Vulnerability Management Team