Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2022-47950

Published: 18 January 2023

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).

Priority

Medium

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
swift
Launchpad, Ubuntu, Debian
bionic Needs triage

focal
Released (2.25.2-0ubuntu1.1)
jammy
Released (2.29.2-0ubuntu1)
kinetic
Released (2.30.1-0ubuntu1)
trusty Ignored
(out of standard support)
upstream
Released (2.31.0,2.30.1,2.29.2,2.28.1)
xenial Needs triage

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N