CVE-2022-47950

Name of the Vulnerable Software and Affected Versions OpenStack Swift versions prior to 2.28.1 OpenStack Swift versions 2.29.x prior to 2.29.2 OpenStack Swift version 2.30.0

Description The issue is related to the S3 API interface of the OpenStack Swift distributed object storage system. It allows an authenticated user to coerce the S3 API into returning arbitrary file contents from the host server by supplying crafted XML files. This results in unauthorized read access to potentially sensitive data. The issue affects both s3api deployments (Rocky or later) and swift3 deployments (Queens and earlier).

Recommendations For OpenStack Swift versions prior to 2.28.1, update to version 2.28.1 or later. For OpenStack Swift versions 2.29.x prior to 2.29.2, update to version 2.29.2 or later. For OpenStack Swift version 2.30.0, update to a version later than 2.30.0. As a temporary workaround, consider restricting access to the S3 API to minimize the risk of exploitation.