Unauthorized delete of versioned Swift object
Bug #1442041 reported by
Vitaly Sedelnik
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
Critical
|
Alexey Khivin | ||
5.1.x |
Fix Released
|
Critical
|
Alexey Khivin | ||
6.0.x |
Fix Released
|
Critical
|
Alexey Khivin | ||
6.1.x |
Fix Released
|
Critical
|
Alexey Khivin |
Bug Description
Clay Gerrard from SwiftStack reported a vulnerability in Swift object
versioning. An authenticated user can delete the most recent version of
any versioned object who's name is known if the user have listing access
to the x-versions-location container. Only Swift setups with
allow_version setting are affected.
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/icehouse, stable/juno and master on the public
disclosure date.
CVE: CVE-2015-1856
Proposed public disclosure date/time:
2015-04-14, 1500UTC
CVE References
information type: | Private Security → Public Security |
Changed in mos: | |
status: | Fix Committed → Fix Released |
tags: | added: feature-security |
To post a comment you must log in.
"Only Swift setups with allow_version setting are affected."
By default Fuel sets allow_version to false.
So, this vulnerability does not affect MOS deployments older then version 6.1 /review. openstack. org/#/c/ 171965
see
https:/