|
Message-ID: <53A2E0B8.8090904@enovance.com>
Date: Thu, 19 Jun 2014 09:08:08 -0400
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-020] XSS in Swift requests through WWW-Authenticate header
(CVE-2014-3497)
OpenStack Security Advisory: 2014-020
CVE: CVE-2014-3497
Date: June 19, 2014
Title: XSS in Swift requests through WWW-Authenticate header
Reporter: Globo.com Security Team
Products: Swift
Versions: 1.11.0 to 1.13.1
Description:
Globo.com Security Team reported a vulnerability in Swift's header value
escaping. By tricking a Swift user into clicking a malicious URL, a
remote attacker may inject data in Swift response while still appearing
to come from the Swift server, potentially leading to other client-side
vulnerabilities. All Swift setups are affected.
Juno (development branch) fix:
https://review.openstack.org/101031
Icehouse (1.13.*) fix:
https://review.openstack.org/101032
Notes:
This fix will be included in the upcoming 2.0.0 release.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3497
https://launchpad.net/bugs/1327414
--ยท
Tristan Cacqueray
OpenStack Vulnerability Management Team
Download attachment "signature.asc" of type "application/pgp-signature" (539 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.