Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2022-47950

Published: 18 January 2023

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).

Notes

AuthorNote
mdeslaur
s3api was introduced in 2.18, and swift3 was not shipped by
Ubuntu

Priority

Medium

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
swift
Launchpad, Ubuntu, Debian
kinetic
Released (2.30.1-0ubuntu1)
lunar
Released (2.31.0+git2023020814.488f8c83-0ubuntu1)
bionic Not vulnerable
(code not present)
trusty Ignored
(end of standard support)
xenial Needed

focal
Released (2.25.2-0ubuntu1.1)
jammy
Released (2.29.2-0ubuntu1)
upstream
Released (2.31.0,2.30.1,2.29.2,2.28.1)
mantic
Released (2.31.0+git2023020814.488f8c83-0ubuntu1)

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N