Source: swift-proxy Version: 2.26.0-10 Severity: serious Tags: patch Title: Arbitrary file access through custom S3 XML entities Reporter: Sébastien Meriot (OVH) Products: Swift Affects: <2.28.1, >=2.29.0 <2.29.2, ==2.30.0
Description: Sébastien Meriot (OVH) reported a vulnerability in Swift's S3 XML parser. By supplying specially crafted XML files an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server resulting in unauthorized read access to potentially sensitive data; this impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed). Only deployments with S3 compatibility enabled are affected. See attached patches. Unless a flaw is discovered in them, these patches will be merged to their corresponding branches on the public disclosure date. The master branch patch applies cleanly to stable/zed, stable/yoga, stable/xena and stable/wallaby branches, but separate copies of it are attached for each for the sake of clarity. The fix could be applied with some fuzz to branches as old as stable/train, and with some minor unit test adjustments as far back as stable/rocky. Note that the stable/wallaby branch is under extended maintenance (as are older branches) and will receive no new point releases, but a patch for it is provided as a courtesy. CVE: CVE-2022-47950 Proposed public disclosure date/time: 2023-01-17, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date. Original private report: https://launchpad.net/bugs/1998625 For access to read and comment on this report, please reply to me with your Launchpad username and I will subscribe you.