CVE-2015-8466

Published: 13 January 2016

Swift3 before 1.9 allows remote attackers to conduct replay attacks via an Authorization request that lacks a Date header.

From the Ubuntu security team

It was discovered that Swift3 did not properly validate the Date and x-amz-date headers when an Authorization header was specified. An attacker could use this vulnerability to conduct a replay attack and potentialy expose sensitive information.

Priority

Medium

CVSS 3 base score: 7.4

Status

Package Release Status
swift-plugin-s3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.11-2)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://git.openstack.org/cgit/openstack/swift3/commit/?id=4fce274c50112e02360993c4eeaafe811fcc757c