972988 – (CVE-2013-2161) CVE-2013-2161 OpenStack Swift: Unchecked user input in Swift XML responses

Bug 972988 (CVE-2013-2161) - CVE-2013-2161 OpenStack Swift: Unchecked user input in Swift XML responses

Summary: CVE-2013-2161 OpenStack Swift: Unchecked user input in Swift XML responses

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-2161
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	973372 972992 973370 974954 974956
Blocks:	972990
TreeView+	depends on / blocked

Reported:	2013-06-11 02:26 UTC by Garth Mollett
Modified:	2023-05-13 01:39 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-20 10:39:18 UTC
Embargoed:

Attachments	(Terms of Use)
Patch (584 bytes, patch) 2013-06-11 02:39 UTC, Garth Mollett	no flags	Details \| Diff
escape-CVE-2013-2161.patch (664 bytes, patch) 2013-06-12 17:12 UTC, Kurt Seifried	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0993	0	normal	SHIPPED_LIVE	Moderate: openstack-swift security and bug fix update	2013-06-27 20:44:03 UTC

Description Garth Mollett 2013-06-11 02:26:24 UTC

Alex Gaynor from Rackspace reported a vulnerability in XML handling
within Swift account servers. Account strings were unescaped in xml
listings, and an attacker could potentially generate unparsable or
arbitrary XML responses which may be used to leverage other
vulnerabilities in the calling software.

Comment 2 Garth Mollett 2013-06-11 02:39:24 UTC

Created attachment 759406 [details]
Patch

Comment 7 Kurt Seifried 2013-06-11 18:12:16 UTC

Proposed public disclosure date/time:
Thursday, June 13, 2013, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.

Comment 10 Garth Mollett 2013-06-11 23:45:33 UTC

Statement:

The Red Hat Security Response Team has rated this issue as having moderate security impact in OpenStack Essex (1.0) and Openstack Folsom (2.1). A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 12 Kurt Seifried 2013-06-12 17:12:01 UTC

Created attachment 760270 [details]
escape-CVE-2013-2161.patch

Comment 17 Jan Lieskovsky 2013-06-17 09:05:47 UTC

This issue affects the versions of the openstack-swift package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update.

Comment 18 Jan Lieskovsky 2013-06-17 09:07:08 UTC

Created openstack-swift tracking bugs for this issue

Affects: fedora-all [bug 974954]
Affects: epel-6 [bug 974956]

Comment 19 Murray McAllister 2013-06-25 03:22:14 UTC

Acknowledgements:

Red Hat would like to thank Alex Gaynor from Rackspace for reporting this issue.

Comment 20 errata-xmlrpc 2013-06-27 16:49:37 UTC

This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0993 https://rhn.redhat.com/errata/RHSA-2013-0993.html

Note You need to log in before you can comment on or make changes to this bug.