CVE 2015-1856
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.
Related bugs and status
CVE-2015-1856 (Candidate) is related to these bugs:
Bug #1419916: Container-sync doesn't timeout when putting/deleting object
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1419916 | Container-sync doesn't timeout when putting/deleting object | OpenStack Object Storage (swift) | Undecided | Fix Released |
Bug #1425679: swift-object-info should try harder on tombstones
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1425679 | swift-object-info should try harder on tombstones | OpenStack Object Storage (swift) | Wishlist | Fix Released |
Bug #1428866: swift-object-info display for sysmeta
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1428866 | swift-object-info display for sysmeta | OpenStack Object Storage (swift) | Wishlist | Fix Released |
Bug #1430645: [OSSA 2015-006] unauthorized delete from container with x-version-location (CVE-2015-1856)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1430645 | [OSSA 2015-006] unauthorized delete from container with x-version-location (CVE-2015-1856) | OpenStack Object Storage (swift) | Undecided | Fix Released | ||
1430645 | [OSSA 2015-006] unauthorized delete from container with x-version-location (CVE-2015-1856) | OpenStack Security Advisory | Medium | Fix Released |
Bug #1434465: Tempauth Fails with Authorization Header
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1434465 | Tempauth Fails with Authorization Header | OpenStack Object Storage (swift) | Undecided | Fix Released |
Bug #1437442: v1 in the API url seems to be a placeholder
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1437442 | v1 in the API url seems to be a placeholder | OpenStack Object Storage (swift) | High | Fix Released |
Bug #1438579: swift-ring-builder - empty device name
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1438579 | swift-ring-builder - empty device name | OpenStack Object Storage (swift) | Undecided | Fix Released |
Bug #1441599: test_policy_IO_override from test.unit.proxy.test_server.TestObjectController randomly fails
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1441599 | test_policy_IO_override from test.unit.proxy.test_server.TestObjectController randomly fails | OpenStack Object Storage (swift) | Undecided | Fix Released |
Bug #1442041: Unauthorized delete of versioned Swift object
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1442041 | Unauthorized delete of versioned Swift object | Mirantis OpenStack | Critical | Fix Released | ||
1442041 | Unauthorized delete of versioned Swift object | Mirantis OpenStack 6.1.x | Critical | Fix Released | ||
1442041 | Unauthorized delete of versioned Swift object | Mirantis OpenStack 6.0.x | Critical | Fix Released | ||
1442041 | Unauthorized delete of versioned Swift object | Mirantis OpenStack 5.1.x | Critical | Fix Released |
Bug #1444327: String not translatable in swift/common/manager.py
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1444327 | String not translatable in swift/common/manager.py | OpenStack Object Storage (swift) | Undecided | Fix Released |
See the
CVE page on Mitre.org
for more details.