CVE-2014-3497

Impact:
Moderate
Public Date:
2014-06-19
CWE:
CWE-79
Bugzilla:
1110809: CVE-2014-3497 openstack-swift: XSS in Swift requests through WWW-Authenticate header
It was found that Swift did not escape all HTTP header values, allowing data to be injected into the responses sent from the Swift server. This could lead to cross-site scripting attacks (and possibly other impacts) if a user were tricked into clicking on a malicious URL.

Find out more about CVE-2014-3497 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 (openstack-swift) RHSA-2014:0941 2014-07-24

Affected Packages State

Platform Package State
Red Hat Enterprise Linux OpenStack Platform 4.0 openstack-swift Not affected
Red Hat Enterprise Linux OpenStack Platform 3.0 openstack-swift Not affected

Acknowledgements

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges the Globo.com Security Team as the original reporter.

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.