date: 2014-06-19

id: OSSA-2014-020

title: 'XSS in Swift requests through WWW-Authenticate header'

description: 'Globo.com Security Team reported a vulnerability in Swift''s header
  value escaping. By tricking a Swift user into clicking a malicious URL, a remote
  attacker may inject data in Swift response while still appearing to come from the
  Swift server, potentially leading to other client-side vulnerabilities. All Swift
  setups are affected. '

reference: http://lists.openstack.org/pipermail/openstack-announce/2014-June/000243.html

affected-products:

  - product: swift
    version: 1.11.0 to 1.13.1

vulnerabilities:

  - cve-id: CVE-2014-3497
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: moderate
      assessment:
        type: CVSS2
        score: 4.3
        detail: AV:N/AC:M/Au:N/C:P/I:N/A:N
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: TODO

reporters:

  - name: 'Globo.com Security Team'
    affiliation: Globo.com
    reported:
      - CVE-2014-3497

issues:

  links:
    - https://launchpad.net/bugs/1327414

  type: launchpad

reviews:

  juno:
    - https://review.openstack.org/#/c/101031

  icehouse:
    - https://review.openstack.org/#/c/101032

  type: gerrit