{"api_version":"1","generated_at":"2026-04-23T05:59:08+00:00","cve":"CVE-2022-47950","urls":{"html":"https://cve.report/CVE-2022-47950","api":"https://cve.report/api/cve/CVE-2022-47950.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-47950","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-47950"},"summary":{"title":"CVE-2022-47950","description":"An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2023-01-18 17:15:00","updated_at":"2023-11-07 03:56:00"},"problem_types":["CWE-552"],"metrics":[],"references":[{"url":"https://security.openstack.org/ossa/OSSA-2023-001.html","name":"https://security.openstack.org/ossa/OSSA-2023-001.html","refsource":"MISC","tags":[],"title":"OSSA-2023-001: Arbitrary file access through custom S3 XML entities — OpenStack Security Advisories 0.0.1.dev258 documentation","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2023/dsa-5327","name":"DSA-5327","refsource":"","tags":[],"title":"Debian -- Security Information -- DSA-5327-1 swift","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://launchpad.net/bugs/1998625","name":"https://launchpad.net/bugs/1998625","refsource":"MISC","tags":[],"title":"Bug #1998625 “[OSSA-2023-001] Arbitrary file access through cust...” : Bugs : OpenStack Object Storage (swift)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00021.html","name":"[debian-lts-announce] 20230125 [SECURITY] [DLA 3281-1] swift security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3281-1] swift security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-47950","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-47950","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"47950","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"47950","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openstack","cpe5":"swift","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"47950","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openstack","cpe5":"swift","cpe6":"2.30.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-47950","qid":"181501","title":"Debian Security Update for swift (DSA 5327-1)"},{"cve":"CVE-2022-47950","qid":"181503","title":"Debian Security Update for swift (DLA 3281-1)"},{"cve":"CVE-2022-47950","qid":"184325","title":"Debian Security Update for swift (CVE-2022-47950)"},{"cve":"CVE-2022-47950","qid":"199167","title":"Ubuntu Security Notification for OpenStack Swift Vulnerability (USN-5852-1)"},{"cve":"CVE-2022-47950","qid":"241234","title":"Red Hat Update for OpenStack Platform 17.0 (RHSA-2023:1013)"},{"cve":"CVE-2022-47950","qid":"241269","title":"Red Hat Update for multiple OpenStack Platforms (RHSA-2023:1277)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2022-47950","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed)."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://launchpad.net/bugs/1998625","refsource":"MISC","name":"https://launchpad.net/bugs/1998625"},{"refsource":"MISC","name":"https://security.openstack.org/ossa/OSSA-2023-001.html","url":"https://security.openstack.org/ossa/OSSA-2023-001.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230125 [SECURITY] [DLA 3281-1] swift security update","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00021.html"}]}},"nvd":{"publishedDate":"2023-01-18 17:15:00","lastModifiedDate":"2023-11-07 03:56:00","problem_types":["CWE-552"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*","versionEndExcluding":"2.28.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openstack:swift:2.30.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*","versionStartIncluding":"2.29.0","versionEndExcluding":"2.29.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}