Swift XML responses Unchecked user input

2013.06.14

Credit: Jeremy Stanley

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-2161

CWE: CWE-94

Ogólna skala CVSS: 7.5/10

Znaczenie: 6.4/10

Łatwość wykorzystania: 10/10

Wymagany dostęp: Zdalny

Złożoność ataku: Niska

Autoryzacja: Nie wymagana

Wpływ na poufność: Częściowy

Wpływ na integralność: Częściowy

Wpływ na dostępność: Częściowy

OpenStack Security Advisory: 2013-016
CVE: CVE-2013-2161
Date: June 13, 2013
Title: Unchecked user input in Swift XML responses
Reporter: Alex Gaynor (Rackspace)
Products: Swift
Affects: All versions

Description:
Alex Gaynor from Rackspace reported a vulnerability in XML handling
within Swift account servers. Account strings were unescaped in XML
listings, and an attacker could potentially generate unparsable or
arbitrary XML responses which may be used to leverage other
vulnerabilities in the calling software.

Havana (development branch) fix:
https://review.openstack.org/32905

Grizzly fix:
https://review.openstack.org/32909

Folsom fix:
https://review.openstack.org/32911

Notes:
This fix will be included in the next release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2161
https://bugs.launchpad.net/swift/+bug/1183884

Referencje:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2161

https://bugs.launchpad.net/swift/+bug/1183884

https://review.openstack.org/32909

https://review.openstack.org/32905

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Swift XML responses Unchecked user input

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.