Red Hat Bugzilla – Bug 972988
CVE-2013-2161 OpenStack Swift: Unchecked user input in Swift XML responses
Last modified: 2016-04-18 21:12:16 EDT
Alex Gaynor from Rackspace reported a vulnerability in XML handling
within Swift account servers. Account strings were unescaped in xml
listings, and an attacker could potentially generate unparsable or
arbitrary XML responses which may be used to leverage other
vulnerabilities in the calling software.
Created attachment 759406 [details]
Proposed public disclosure date/time:
Thursday, June 13, 2013, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
The Red Hat Security Response Team has rated this issue as having moderate security impact in OpenStack Essex (1.0) and Openstack Folsom (2.1). A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Created attachment 760270 [details]
This issue affects the versions of the openstack-swift package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update.
Created openstack-swift tracking bugs for this issue
Affects: fedora-all [bug 974954]
Affects: epel-6 [bug 974956]
Red Hat would like to thank Alex Gaynor from Rackspace for reporting this issue.
This issue has been addressed in following products:
OpenStack 3 for RHEL 6
Via RHSA-2013:0993 https://rhn.redhat.com/errata/RHSA-2013-0993.html