Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12N21oLTNqZ2YtcjI2Y84AAaDG
OpenStack Object Storage (swift) Code Injection vulnerability
OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.
Permalink: https://github.com/advisories/GHSA-v7mh-3jgf-r26cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12N21oLTNqZ2YtcjI2Y84AAaDG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 3 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-v7mh-3jgf-r26c, CVE-2012-4406
References:
- https://nvd.nist.gov/vuln/detail/CVE-2012-4406
- https://github.com/openstack/swift/commit/e1ff51c04554d51616d2845f92ab726cb0e5831a
- https://bugs.launchpad.net/swift/+bug/1006414
- https://bugzilla.redhat.com/show_bug.cgi?id=854757
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79140
- https://launchpad.net/swift/+milestone/1.7.0
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089472.html
- http://rhn.redhat.com/errata/RHSA-2012-1379.html
- http://rhn.redhat.com/errata/RHSA-2013-0691.html
- http://www.openwall.com/lists/oss-security/2012/09/05/16
- http://www.openwall.com/lists/oss-security/2012/09/05/4
- https://access.redhat.com/errata/RHSA-2012:1379
- https://access.redhat.com/errata/RHSA-2013:0691
- https://access.redhat.com/security/cve/CVE-2012-4406
- https://web.archive.org/web/20130629092623/http://www.securityfocus.com/bid/55420
- http://www.securityfocus.com/bid/55420
- https://github.com/advisories/GHSA-v7mh-3jgf-r26c
Blast Radius: 16.9
Affected Packages
pypi:swift
Dependent packages: 1Dependent repositories: 53
Downloads: 1,756 last month
Affected Version Ranges: < 1.7.0
Fixed in: 1.7.0
All affected versions: 1.0.2
All unaffected versions: 2.15.2, 2.17.1, 2.19.1, 2.19.2, 2.20.0, 2.21.0, 2.21.1, 2.22.0, 2.23.0, 2.23.1, 2.23.2, 2.23.3, 2.24.0, 2.25.0, 2.25.1, 2.25.2, 2.26.0, 2.27.0, 2.28.0, 2.28.1, 2.29.0, 2.29.1, 2.29.2, 2.30.0, 2.30.1, 2.31.0, 2.31.1, 2.32.0, 2.33.0