Information disclosure in Openstack Swift

CVE-2014-0006

The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 through 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret URLs by leveraging an object name and a timing side-channel attack.

Vulnerability class: Information Disclosure

EPSS: 0.004 (62.4th percentile) — read the EPSS interpretation.

Affected products

Openstack Swift — versions 1.4.6, 1.4.7, 1.4.8
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

RHSA-2014:0232 (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
[oss-security] 20140117 [OSSA 2014-002] Swift TempURL timing attack (CVE-2014-0006) (mailing-list, x_refsource_MLIST, Patch)