Openstack upstream reported that a vulnerabilty in Swift tempurls was discovered. When in possession of a tempurl key authorized for PUT, a malicious actor may retrieve other objects in the same Swift account (tenant). All Swift setups are affected. Vulnerability affects versions through 2.3.0.
Acknowledgements: Red Hat would like to thank the Openstack project for reporting this issue. Upstream acknowledges Richard Hawkins of Rackspace and the Swift core reviewers as the original reporters of this issue.
Public via: http://seclists.org/oss-sec/2015/q3/442
Created openstack-swift tracking bugs for this issue: Affects: fedora-all [bug 1264282] Affects: openstack-rdo [bug 1264286]
This issue has been addressed in the following products: OpenStack 6 for RHEL 7 OpenStack 7 For RHEL 7 OpenStack 5 for RHEL 6 OpenStack 5 for RHEL 7 Via RHSA-2015:1895 https://rhn.redhat.com/errata/RHSA-2015-1895.html
This issue has been addressed in the following products: Red Hat Gluster Storage 3.1 for RHEL 6 Via RHSA-2016:0329 https://rhn.redhat.com/errata/RHSA-2016-0329.html
This issue has been addressed in the following products: Red Hat Gluster Storage 3.1 for RHEL 7 Via RHSA-2016:0328 https://rhn.redhat.com/errata/RHSA-2016-0328.html