Date: Wed, 8 Oct 2014 04:52:52 -0400 (EDT) From: cve-assign@...re.org To: jeremy@...nstack.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request for vulnerability in OpenStack Swift -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Versions: up to 2.1.0 > a vulnerability in Swift enforcement of metadata contraints. By adding > metadata in several separate calls, an authenticated attacker can > bypass the max_meta_count constraint, potentially resulting in the > storage of more metadata than allowed in configuration. > https://launchpad.net/bugs/1365350 > If we pass more than 90 metadata in one request, it fails. But if we > pass 50 in one request and 50 in another request, the request is > successfully processed which is against documentation. > The above case occurs in account and container only. While in object > case, the metadata is overwritten with new request's metadata. Use CVE-2014-7960. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUNPrtAAoJEKllVAevmvmsMCYH/Rh+WJrLAUS9X4WQoP0amenB 1ABykY/srIZTQqTF45CFWV2eN/9XUgqCNA5RvhtsIBDrMsA4kTUax2k3rCNewucX YaprOeZtmtZz+pkRH1CANN/E152+NKAiYAdZ6hq5fyFprU5VY9L2fosUqW4S2B0u Klc1mQsE1lSCpFVbvSalgv+xwiGPi439G1QfPIz2Tpq6s33eWnl7YQXSFapGDc7M Axk/mf0HND8Vpcn9DE/eo06yA7bYNJfA3OKflKwmVIO/CabJ+mNGUYuOts1hF22A xE5wtAlZAx1I6FmWOgU11Y2dDqK1p/DjlHLwvn+qHEA/acTyMkachc+imR88fX4= =mGg8 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ