CVE-2022-47950

Description

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).

How to fix CVE-2022-47950

To remediate CVE-2022-47950, upgrade the affected package to a fixed version below.

• —upgrade to 2.26.0-10+deb11u1 or later
• —upgrade to 2.19.1-1+deb10u1 or later
• —upgrade to 2.26.0-10+deb11u1 or later
• —upgrade to 2.28.1 or later

Is CVE-2022-47950 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 2.26.0-10+deb11u1
• from 0, < 2.19.1-1+deb10u1
• from 0, < 2.26.0-10+deb11u1
• from 0, < 2.28.1

CVSS scores

References (15)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-47950
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-47950
• PATCHgithub.com/openstack/swift
• WEBgithub.com/openstack/swift/commit/12e54391861e7d182d58f89fb88b027e65842640