Swift XML responses Unchecked user input

2013.06.14
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

OpenStack Security Advisory: 2013-016 CVE: CVE-2013-2161 Date: June 13, 2013 Title: Unchecked user input in Swift XML responses Reporter: Alex Gaynor (Rackspace) Products: Swift Affects: All versions Description: Alex Gaynor from Rackspace reported a vulnerability in XML handling within Swift account servers. Account strings were unescaped in XML listings, and an attacker could potentially generate unparsable or arbitrary XML responses which may be used to leverage other vulnerabilities in the calling software. Havana (development branch) fix: https://review.openstack.org/32905 Grizzly fix: https://review.openstack.org/32909 Folsom fix: https://review.openstack.org/32911 Notes: This fix will be included in the next release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2161 https://bugs.launchpad.net/swift/+bug/1183884

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2161
https://bugs.launchpad.net/swift/+bug/1183884
https://review.openstack.org/32909
https://review.openstack.org/32905


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top