Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS12N21oLTNqZ2YtcjI2Y84AAaDG

OpenStack Object Storage (swift) Code Injection vulnerability

OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.

Permalink: https://github.com/advisories/GHSA-v7mh-3jgf-r26c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12N21oLTNqZ2YtcjI2Y84AAaDG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 3 months ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-v7mh-3jgf-r26c, CVE-2012-4406
References:

• https://nvd.nist.gov/vuln/detail/CVE-2012-4406
• https://github.com/openstack/swift/commit/e1ff51c04554d51616d2845f92ab726cb0e5831a
• https://bugs.launchpad.net/swift/+bug/1006414
• https://bugzilla.redhat.com/show_bug.cgi?id=854757
• https://exchange.xforce.ibmcloud.com/vulnerabilities/79140
• https://launchpad.net/swift/+milestone/1.7.0
• http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089472.html
• http://rhn.redhat.com/errata/RHSA-2012-1379.html
• http://rhn.redhat.com/errata/RHSA-2013-0691.html
• http://www.openwall.com/lists/oss-security/2012/09/05/16
• http://www.openwall.com/lists/oss-security/2012/09/05/4
• https://access.redhat.com/errata/RHSA-2012:1379
• https://access.redhat.com/errata/RHSA-2013:0691
• https://access.redhat.com/security/cve/CVE-2012-4406
• https://web.archive.org/web/20130629092623/http://www.securityfocus.com/bid/55420
• http://www.securityfocus.com/bid/55420
• https://github.com/advisories/GHSA-v7mh-3jgf-r26c

Repository: https://github.com/openstack/swift
Blast Radius: 16.9

Affected Packages