[OSSA 2013-016] Unescaped content embedded in XML (CVE-2013-2161)
Bug #1183884 reported by
Alex Gaynor
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Object Storage (swift) |
Fix Released
|
Undecided
|
Jeremy Stanley | ||
| Folsom |
Fix Committed
|
Undecided
|
Jeremy Stanley | ||
| Grizzly |
Fix Committed
|
Undecided
|
Jeremy Stanley | ||
| OpenStack Security Advisory |
Fix Released
|
Low
|
Jeremy Stanley | ||
Bug Description
See the code here: https:/
I'm not 100% convinced this is exploitable, however after conferring with Donald Stufft (security engineer at Nebula), neither of us were able to rule it out, so I'm filing as a security issue, better safe than sorry.
CVE References
| Changed in ossa: | |
| status: | New → Incomplete |
| Changed in ossa: | |
| status: | Incomplete → New |
| assignee: | nobody → Jeremy Stanley (fungi) |
| Changed in ossa: | |
| importance: | Undecided → Low |
| status: | Incomplete → Confirmed |
| Changed in ossa: | |
| status: | Triaged → In Progress |
| summary: |
- Unescaped content embedded in XML + Unescaped content embedded in XML (CVE-2013-2161) |
| information type: | Private Security → Public Security |
| summary: |
- Unescaped content embedded in XML (CVE-2013-2161) + [OSSA 2013-016] Unescaped content embedded in XML (CVE-2013-2161) |
| Changed in ossa: | |
| status: | Fix Committed → Fix Released |
| Changed in swift: | |
| milestone: | none → 1.9.0 |
| Changed in swift: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.

I don't know about exploitability, but it's certainly true that an account named AUTH_" produces this little pile of invalid XML on GET:
<?xml version="1.0" encoding="UTF-8"?>
<account name="AUTH_"">
</account>