Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-47950

Опубликовано: 17 янв. 2023
Источник: redhat
CVSS3: 7.7
EPSS Низкий

Описание

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).

A flaw was found in Swift's S3 XML parser. By supplying specially crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This issue impacts both s3api deployments (Rocky or later) and swift3 deployments (Queens and earlier, no longer actively developed). Only deployments with S3 compatibility enabled are affected.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Storage 3openstack-swiftAffected
Red Hat OpenStack Platform 13.0 - ELSopenstack-swift-plugin-swift3FixedRHSA-2023:127715.03.2023
Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUSopenstack-swift-plugin-swift3FixedRHSA-2023:127715.03.2023
Red Hat OpenStack Platform 16.1openstack-swiftFixedRHSA-2023:127715.03.2023
Red Hat OpenStack Platform 16.2openstack-swiftFixedRHSA-2023:127715.03.2023
Red Hat OpenStack Platform 17.0openstack-swiftFixedRHSA-2023:101328.02.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-552
https://bugzilla.redhat.com/show_bug.cgi?id=2160618openstack-swift: Arbitrary file access through custom S3 XML entities

EPSS

Процентиль: 40%
0.00181
Низкий

7.7 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-47950

CVSS3: 6.5
ubuntu
почти 3 года назад

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).

nvd логотип

CVE-2022-47950

CVSS3: 6.5
nvd
почти 3 года назад

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).

debian логотип

CVE-2022-47950

CVSS3: 6.5
debian
почти 3 года назад

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x befor ...

github логотип

GHSA-274c-rx2j-2v3x

CVSS3: 6.5
github
почти 3 года назад

OpenStack Swift XML external entities (XXE) Injection

fstec логотип

BDU:2023-00933

CVSS3: 7.7
fstec
почти 3 года назад

Уязвимость компонента swift/common/middleware/s3api/etree.py интерфейса S3 API распределенной системы хранения объектов Swift, позволяющая нарушителю получить несанкционированный доступ на чтение произвольных файлов

EPSS

Процентиль: 40%
0.00181
Низкий

7.7 High

CVSS3