CVE-2022-47950
Summary
| CVE | CVE-2022-47950 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-01-18 17:15:00 UTC |
| Updated | 2023-11-07 03:56:00 UTC |
| Description | An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed). |
Risk And Classification
Problem Types: CWE-552
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| OSSA-2023-001: Arbitrary file access through custom S3 XML entities — OpenStack Security Advisories 0.0.1.dev258 documentation | MISC | security.openstack.org | |
| Debian -- Security Information -- DSA-5327-1 swift | www.debian.org | ||
| Bug #1998625 “[OSSA-2023-001] Arbitrary file access through cust...” : Bugs : OpenStack Object Storage (swift) | MISC | launchpad.net | |
| [SECURITY] [DLA 3281-1] swift security update | MLIST | lists.debian.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 181501 Debian Security Update for swift (DSA 5327-1)
- 181503 Debian Security Update for swift (DLA 3281-1)
- 184325 Debian Security Update for swift (CVE-2022-47950)
- 199167 Ubuntu Security Notification for OpenStack Swift Vulnerability (USN-5852-1)
- 241234 Red Hat Update for OpenStack Platform 17.0 (RHSA-2023:1013)
- 241269 Red Hat Update for multiple OpenStack Platforms (RHSA-2023:1277)