CVE-2012-4406

Published: 22 October 2012

OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.

Priority

Low

Notes

AuthorNote
jdstrand
design problem which requires access to the private swift network.
Memcached portion is fixed upstream but adds a configuration option that
defaults to using pickle serialization since not all memcached servers
understand JSON.
Marking as 'low' since this requires privileged network access
(per upstream)

References

Bugs