Published: 22 October 2012
OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.
design problem which requires access to the private swift network. Memcached portion is fixed upstream but adds a configuration option that defaults to using pickle serialization since not all memcached servers understand JSON. Marking as 'low' since this requires privileged network access (per upstream)