{
  "threat_severity" : "Moderate",
  "public_date" : "2014-06-19T00:00:00Z",
  "bugzilla" : {
    "description" : "openstack-swift: XSS in Swift requests through WWW-Authenticate header",
    "id" : "1110809",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1110809"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header.", "It was found that Swift did not escape all HTTP header values, allowing data to be injected into the responses sent from the Swift server. This could lead to cross-site scripting attacks (and possibly other impacts) if a user were tricked into clicking on a malicious URL." ],
  "acknowledgement" : "Red Hat would like to thank OpenStack project for reporting this issue. Upstream acknowledges Globo.com Security Team as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
    "release_date" : "2014-07-24T00:00:00Z",
    "advisory" : "RHSA-2014:0941",
    "cpe" : "cpe:/a:redhat:openstack:5::el7",
    "package" : "openstack-swift-0:1.13.1-3.el7ost"
  }, {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
    "release_date" : "2014-07-24T00:00:00Z",
    "advisory" : "RHSA-2014:0941",
    "cpe" : "cpe:/a:redhat:openstack:5::el7",
    "package" : "python-swiftclient-0:2.1.0-2.el7ost"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenStack Platform 3",
    "fix_state" : "Not affected",
    "package_name" : "openstack-swift",
    "cpe" : "cpe:/a:redhat:openstack:3"
  }, {
    "product_name" : "Red Hat OpenStack Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openstack-swift",
    "cpe" : "cpe:/a:redhat:openstack:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-3497\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3497" ],
  "name" : "CVE-2014-3497",
  "csaw" : false
}