Search criteria

2 vulnerabilities found for Swift by OpenStack

CVE-2026-50221 (GCVE-0-2026-50221)

Vulnerability from cvelistv5 – Published: 2026-06-23 17:03 – Updated: 2026-06-23 17:38
VLAI?
Summary
In OpenStack Swift before 2.37.2, proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwarding them to object-servers. An authenticated user with write access can inject these headers to redirect container update requests to an attacker-controlled server, enabling server-side request forgery. The SSRF requests expose internal cluster metadata including storage policy indexes, partition mappings, device names, and when at rest encryption is enabled, cipher text and initialization vectors for the container-level encryption key. The attacker can also cause "ghost listings" in arbitrary containers via the shard-range redirect mechanism.
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
Impacted products
Vendor Product Version
OpenStack Swift Affected: 2.0.0 , < 2.35.3 (semver)
Affected: 2.36.0 , < 2.36.2 (semver)
Affected: 2.37.0 , < 2.37.2 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-23T17:35:50.922Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/23/5"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-50221",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T17:38:21.427291Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T17:38:26.623Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Swift",
          "repo": "https://opendev.org/openstack/swift",
          "vendor": "OpenStack",
          "versions": [
            {
              "lessThan": "2.35.3",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.36.2",
              "status": "affected",
              "version": "2.36.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.37.2",
              "status": "affected",
              "version": "2.37.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.35.3",
                  "versionStartIncluding": "2.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.36.2",
                  "versionStartIncluding": "2.36.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.37.2",
                  "versionStartIncluding": "2.37.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In OpenStack Swift before 2.37.2, proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwarding them to object-servers. An authenticated user with write access can inject these headers to redirect container update requests to an attacker-controlled server, enabling server-side request forgery. The SSRF requests expose internal cluster metadata including storage policy indexes, partition mappings, device names, and when at rest encryption is enabled, cipher text and initialization vectors for the container-level encryption key. The attacker can also cause \"ghost listings\" in arbitrary containers via the shard-range redirect mechanism."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T17:03:32.971Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://launchpad.net/bugs/2150261"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/06/23/5"
        },
        {
          "url": "https://security.openstack.org/ossa/OSSA-2026-024.html"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-50221",
    "datePublished": "2026-06-23T17:03:32.971Z",
    "dateReserved": "2026-06-04T04:51:16.073Z",
    "dateUpdated": "2026-06-23T17:38:26.623Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49017 (GCVE-0-2026-49017)

Vulnerability from cvelistv5 – Published: 2026-05-27 01:57 – Updated: 2026-06-02 17:33
VLAI?
Summary
In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.
CWE
  • CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Assigner
Impacted products
Vendor Product Version
OpenStack Swift Affected: 2.36.0 , < 2.36.2 (semver)
Affected: 2.37.0 , < 2.37.2 (semver)
Affected: 2.35.1 , < 2.35.3 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-49017",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T13:52:48.762325Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T13:52:55.767Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-02T17:33:08.620Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/27/9"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/02/6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Swift",
          "repo": "https://opendev.org/openstack/swift",
          "vendor": "OpenStack",
          "versions": [
            {
              "lessThan": "2.36.2",
              "status": "affected",
              "version": "2.36.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.37.2",
              "status": "affected",
              "version": "2.37.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.35.3",
              "status": "affected",
              "version": "2.35.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.36.2",
                  "versionStartIncluding": "2.36.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.37.2",
                  "versionStartIncluding": "2.37.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openstack:swift:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.35.3",
                  "versionStartIncluding": "2.35.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-02T16:25:12.172Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://bugs.launchpad.net/bugs/2152205"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://review.opendev.org/c/openstack/swift/+/987957"
        },
        {
          "tags": [
            "technical-description"
          ],
          "url": "https://review.opendev.org/c/openstack/swift/+/988093"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-49017",
    "datePublished": "2026-05-27T01:57:58.831Z",
    "dateReserved": "2026-05-27T01:57:58.189Z",
    "dateUpdated": "2026-06-02T17:33:08.620Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}