{
  "threat_severity" : "Low",
  "public_date" : "2020-05-27T00:00:00Z",
  "bugzilla" : {
    "description" : "openstack-swift: logs valid temporary urls which could result in access to data by anyone with access to the logfiles",
    "id" : "1850156",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1850156"
  },
  "cvss3" : {
    "cvss3_base_score" : "2.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-532",
  "details" : [ "In OpenStack Swift through 2.10.1, 2.11.0 through 2.13.0, and 2.14.0, the proxy-server logs full tempurl paths, potentially leaking reusable tempurl signatures to anyone with read access to these logs. All Swift deployments using the tempurl middleware are affected.", "A flaw was found in openstack-swift, where the proxy server logs valid temporary URLs, that might be used to gain access to data by anyone with access to the logfiles. This is especially important with tempurls that are valid for extended periods or when using central logging servers, accessed by operators that have no access to the Swift servers. The highest threat from this vulnerability is to confidentiality." ],
  "statement" : "Openstack Swift is no longer supported with the recent release of Red Hat Gluster Storage 3.5, hence openstack-swift will not be updated for this flaw.",
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "openstack-swift",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Out of support scope",
    "package_name" : "openstack-swift",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Fix deferred",
    "package_name" : "openstack-swift",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 15 (Stein)",
    "fix_state" : "Fix deferred",
    "package_name" : "openstack-swift",
    "cpe" : "cpe:/a:redhat:openstack:15"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "fix_state" : "Fix deferred",
    "package_name" : "openstack-swift",
    "cpe" : "cpe:/a:redhat:openstack:16.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Fix deferred",
    "package_name" : "openstack-swift",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16 (Train)",
    "fix_state" : "Fix deferred",
    "package_name" : "openstack-swift",
    "cpe" : "cpe:/a:redhat:openstack:16"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Out of support scope",
    "package_name" : "openstack-swift",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-8761\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-8761\nhttps://bugs.launchpad.net/swift/+bug/1685798" ],
  "name" : "CVE-2017-8761",
  "csaw" : false
}