63 lines
1.5 KiB
YAML
63 lines
1.5 KiB
YAML
date: 2014-01-16
|
|
|
|
id: OSSA-2014-002
|
|
|
|
title: 'Swift TempURL timing attack'
|
|
|
|
description: 'Samuel Merritt from SwiftStack reported a timing attack vulnerability
|
|
in Swift TempURL middleware. By analyzing response times to arbitrary TempURL requests,
|
|
an attacker may be able to guess valid secret URLs and get access to objects that
|
|
were only intended to be publicly shared with specific recipients. In order to use
|
|
this attack, the attacker needs to know the targeted object name, and the object
|
|
account needs to have a TempURL key set. Only Swift setups enabling the TempURL
|
|
middleware are affected.'
|
|
|
|
reference: http://lists.openstack.org/pipermail/openstack-announce/2014-January/000185.html
|
|
|
|
affected-products:
|
|
|
|
- product: swift
|
|
version: All supported versions
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2014-0006
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: moderate
|
|
assessment:
|
|
type: CVSS2
|
|
score: 4.3
|
|
detail: AV:N/AC:M/Au:N/C:P/I:N/A:N
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: TODO
|
|
|
|
reporters:
|
|
|
|
- name: 'Samuel Merritt'
|
|
affiliation: SwiftStack
|
|
reported:
|
|
- CVE-2014-0006
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/1265665
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
icehouse:
|
|
- https://review.openstack.org/#/c/67185
|
|
|
|
havana:
|
|
- https://review.openstack.org/#/c/67186
|
|
|
|
grizzly:
|
|
- https://review.openstack.org/#/c/67187
|
|
|
|
type: gerrit
|