Comment 15 for bug 1998625

Yes, I'll serve as the vulnerability coordinator for the CVE request, advance downstream stakeholder notification, advisory publication and so on. Assuming folks are good with the proposed change to master we'll also want clean backports to the current state of at least the stable/zed, stable/yoga and stable/xena branches (though feel free to create patches for older branches too if you like). Ideally attach the results of a git-formatted patch as described here: https://security.openstack.org/#how-to-propose-and-review-a-security-patch

In order to request a CVE assignment from MITRE, I'll need a succinct description of the flaw and resulting risks (which we'll also include for context in subsequent communications). Here's an attempt, but please let me know if I got anything wrong...

Title: Arbitrary file access through custom S3 XML entities
Reporter: Sébastien Meriot (OVH)
Products: Swift
Affects: <2.28.1, >=2.29.0 <2.29.2, ==2.30.0

Description:
Sébastien Meriot (OVH) reported a vulnerability in Swift's S3 XML parser.
By supplying specially crafted XML files an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server resulting in unauthorized read access to potentially sensitive data; this impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).
Only deployments with S3 compatibility enabled are affected.