Access Control Flaw in OpenStack Swift Affects S3 API
CVE-2022-47950

6.5MEDIUM

Key Information:

Vendor: Openstack
Status: Swift
Vendor: CVE Published:; 18 January 2023

Summary

An issue has been identified in OpenStack Swift affecting specific versions. This vulnerability allows an authenticated user to craft XML files that can manipulate the S3 API, leading to the exposure of arbitrary file contents from the host server. This can result in unauthorized access to sensitive data, impacting both s3api and swift3 deployments, particularly those using versions Rocky or later and Queens and earlier respectively.

References

https://launchpad.net/bugs/1998625

https://security.openstack.org/ossa/OSSA-2023-001.html

https://lists.debian.org/debian-lts-announce/2023/01/msg0...

mailing-list

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 18, 2023
Vulnerability Reserved
Dec 24, 2022