Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 19 Jun 2014 09:08:08 -0400
From: Tristan Cacqueray <>
Subject: [OSSA 2014-020] XSS in Swift requests through WWW-Authenticate header

OpenStack Security Advisory: 2014-020
CVE: CVE-2014-3497
Date: June 19, 2014
Title: XSS in Swift requests through WWW-Authenticate header
Reporter: Security Team
Products: Swift
Versions: 1.11.0 to 1.13.1

Description: Security Team reported a vulnerability in Swift's header value
escaping. By tricking a Swift user into clicking a malicious URL, a
remote attacker may inject data in Swift response while still appearing
to come from the Swift server, potentially leading to other client-side
vulnerabilities. All Swift setups are affected.

Juno (development branch) fix:

Icehouse (1.13.*) fix:

This fix will be included in the upcoming 2.0.0 release.


Tristan Cacqueray
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (539 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.