PT-2014-3428 · Openstack · Openstack Object Storage

Samuel Merritt

Published

2014-01-22

Updated

2022-05-17

CVE-2014-0006

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OpenStack Object Storage (Swift) versions 1.4.6 through 1.8.0 OpenStack Object Storage (Swift) versions 1.9.0 through 1.10.0 OpenStack Object Storage (Swift) version 1.11.0

Description The issue allows remote attackers to obtain secret URLs by leveraging an object name and a timing side-channel attack, which is a technique that involves measuring the time it takes for a system to respond to different inputs in order to infer sensitive information.

Recommendations For versions 1.4.6 through 1.8.0, update to a version outside of this range to mitigate the risk. For versions 1.9.0 through 1.10.0, update to a version outside of this range to mitigate the risk. For version 1.11.0, update to a version later than 1.11.0 to mitigate the risk.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2014-0006

GHSA-CF9M-Q836-VF26

PYSEC-2014-116

RHSA-2014:0232

RHSA-2014:0367

USN-2207-1

Affected Products

Openstack Object Storage

PT-2014-3428 · Openstack · Openstack Object Storage

CVE-2014-0006

Weakness Enumeration

Related Identifiers

Affected Products

References · 17