CVE-2022-47950

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*
cpe:2.3:a:openstack:swift:2.30.0:*:*:*:*:*:*:*
cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*

History

26 Jan 2023, 21:18

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2023/01/msg00021.html -

25 Jan 2023, 21:13

Type Values Removed Values Added
References (MISC) https://launchpad.net/bugs/1998625 - (MISC) https://launchpad.net/bugs/1998625 - Exploit, Issue Tracking, Patch, Vendor Advisory
References (MISC) https://security.openstack.org/ossa/OSSA-2023-001.html - (MISC) https://security.openstack.org/ossa/OSSA-2023-001.html - Patch, Vendor Advisory
CWE CWE-552
First Time Openstack
Openstack swift
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
CPE cpe:2.3:a:openstack:swift:2.30.0:*:*:*:*:*:*:*
cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*

18 Jan 2023, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-01-18 17:15

Updated : 2023-01-26 21:18


NVD link : CVE-2022-47950

Mitre link : CVE-2022-47950


JSON object : View

Products Affected

openstack

  • swift
CWE
CWE-552

Files or Directories Accessible to External Parties