What is CVE-2012-4406?

CVE-2012-4406 is a critical-severity vulnerability in Openstack Swift, classified under Deserialization of Untrusted Data. CVSS score: 9.8/10. Published 2012-10-22.

How severe is CVE-2012-4406?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2012-4406 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Openstack Swift

CVE-2012-4406

OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.

Vulnerability class: Insecure Deserialization

EPSS: 0.047 (89.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Openstack Swift
Fedoraproject Fedora — versions 16
Redhat Enterprise_linux_server — versions 5.0, 6.0
Redhat Gluster_storage_management_console — versions 2.0
Redhat Gluster_storage_server_for_on-premise — versions 2.0
Redhat Storage — versions 2.0
Redhat Storage_for_public_cloud — versions 2.0
N/a — versions n/a

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

c-skills/CVEs

References

secalert@redhat.com (x_refsource_CONFIRM, Patch)
55420 (vdb-entry, x_refsource_BID, Broken Link)
secalert@redhat.com (x_refsource_CONFIRM, Release Notes)
RHSA-2012:1379 (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
openstack-swift-loads-code-exec(79140) (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_XF)
secalert@redhat.com (x_refsource_CONFIRM, Patch, Issue Tracking)
secalert@redhat.com (Patch, x_refsource_MISC, Issue Tracking)
[oss-security] 20120905 CVE-Request: openstack pickle de-serialization (mailing-list, x_refsource_MLIST, Mailing List)
FEDORA-2012-15098 (x_refsource_FEDORA, vendor-advisory, Mailing List)
RHSA-2013:0691 (x_refsource_REDHAT, vendor-advisory, Not Applicable)

Frequently asked questions

What is CVE-2012-4406?: CVE-2012-4406 is a critical-severity vulnerability in Openstack Swift, classified under Deserialization of Untrusted Data. CVSS score: 9.8/10. Published 2012-10-22.
How severe is CVE-2012-4406?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2012-4406 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.