GHSA-274c-rx2j-2v3x

Suggest an improvement
Source
https://github.com/advisories/GHSA-274c-rx2j-2v3x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-274c-rx2j-2v3x/GHSA-274c-rx2j-2v3x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-274c-rx2j-2v3x
Aliases
Published
2023-01-18T18:30:16Z
Modified
2024-05-19T02:24:44.625024Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
OpenStack Swift XML external entities (XXE) Injection
Details

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).

Database specific
{
    "nvd_published_at": "2023-01-18T17:15:00Z",
    "cwe_ids": [
        "CWE-552",
        "CWE-611"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T21:30:33Z"
}
References

Affected packages

PyPI / swift

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.28.1

Affected versions

1.*

1.0.2

2.*

2.15.2
2.17.1
2.19.1
2.19.2
2.20.0
2.21.0
2.21.1
2.22.0
2.23.0
2.23.1
2.23.2
2.23.3
2.24.0
2.25.0
2.25.1
2.25.2
2.26.0
2.27.0
2.28.0

PyPI / swift

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.29.0
Fixed
2.29.2

Affected versions

2.*

2.29.0
2.29.1

PyPI / swift

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.30.0
Fixed
2.30.1

Affected versions

2.*

2.30.0