CVE-2012-4406 — OpenStack Object Storage (swift) Code Injection vulnerability

Description

OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.

How to fix CVE-2012-4406

To remediate CVE-2012-4406, upgrade the affected package to a fixed version below.

Debian/swift—upgrade to 1.4.8-2 or later
—upgrade to 1.7.0 or later

Is CVE-2012-4406 being exploited?

Low — EPSS is 4.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.4.8-2
from 0, < 1.7.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (18)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-4406
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-4406
PATCHopendev.org/openstack/swift
WEBlists.fedoraproject.org/pipermail/package-announce/2012-October/089472.html
WEB