Date: Thu, 19 Jun 2014 09:08:08 -0400 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-020] XSS in Swift requests through WWW-Authenticate header (CVE-2014-3497) OpenStack Security Advisory: 2014-020 CVE: CVE-2014-3497 Date: June 19, 2014 Title: XSS in Swift requests through WWW-Authenticate header Reporter: Globo.com Security Team Products: Swift Versions: 1.11.0 to 1.13.1 Description: Globo.com Security Team reported a vulnerability in Swift's header value escaping. By tricking a Swift user into clicking a malicious URL, a remote attacker may inject data in Swift response while still appearing to come from the Swift server, potentially leading to other client-side vulnerabilities. All Swift setups are affected. Juno (development branch) fix: https://review.openstack.org/101031 Icehouse (1.13.*) fix: https://review.openstack.org/101032 Notes: This fix will be included in the upcoming 2.0.0 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3497 https://launchpad.net/bugs/1327414 --· Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (539 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.