Bug 1255622 (CVE-2015-5223) - CVE-2015-5223 openstack-swift: Information leak via Swift tempurls
Summary: CVE-2015-5223 openstack-swift: Information leak via Swift tempurls
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5223
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1263018 1264282 1264283 1264284 1264285 1264286
Blocks: 1255631
TreeView+ depends on / blocked
 
Reported: 2015-08-21 08:16 UTC by Adam Mariš
Modified: 2023-05-12 21:08 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was discovered in the OpenStack Object Storage service (swift) TempURLs. An attacker in possession of a TempURL key with PUT permissions could gain read access to other objects in the same project (tenant).
Clone Of:
Environment:
Last Closed: 2017-03-23 06:31:32 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1322227 0 unspecified CLOSED openstack-swift: Fix for CVE-2015-5223 is partially present in openstack-swift-2.3.0-5.el7ost build 2023-09-14 03:20:19 UTC
Red Hat Product Errata RHSA-2015:1895 0 normal SHIPPED_LIVE Moderate: openstack-swift security update 2015-10-15 16:29:17 UTC

Internal Links: 1322227

Description Adam Mariš 2015-08-21 08:16:52 UTC 
Openstack upstream reported that a vulnerabilty in Swift tempurls was discovered.
When in possession of a tempurl key authorized for PUT, a malicious actor may retrieve
other objects in the same Swift account (tenant). All Swift setups are affected.

Vulnerability affects versions through 2.3.0.
Comment 5 Adam Mariš 2015-08-21 08:46:00 UTC 
Acknowledgements:

Red Hat would like to thank the Openstack project for reporting this issue. Upstream acknowledges Richard Hawkins of Rackspace and the Swift core reviewers as the original reporters of this issue.
Comment 6 Adam Mariš 2015-08-28 09:17:52 UTC 
Public via:

http://seclists.org/oss-sec/2015/q3/442
Comment 10 Garth Mollett 2015-09-18 06:06:10 UTC 
Created openstack-swift tracking bugs for this issue:

Affects: fedora-all [bug 1264282]
Affects: openstack-rdo [bug 1264286]
Comment 12 errata-xmlrpc 2015-10-15 12:34:10 UTC 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7
  OpenStack 7 For RHEL 7
  OpenStack 5 for RHEL 6
  OpenStack 5 for RHEL 7

Via RHSA-2015:1895 https://rhn.redhat.com/errata/RHSA-2015-1895.html
Comment 14 Siddharth Sharma 2017-03-23 06:30:43 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.1 for RHEL 6

Via RHSA-2016:0329 https://rhn.redhat.com/errata/RHSA-2016-0329.html
Comment 15 Siddharth Sharma 2017-03-23 06:31:32 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.1 for RHEL 7

Via RHSA-2016:0328 https://rhn.redhat.com/errata/RHSA-2016-0328.html
Note You need to log in before you can comment on or make changes to this bug.