{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-06-19T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-05-04T16:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "USN-2256-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2256-1"}, {"name": "59532", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/59532"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://review.openstack.org/#/c/101031/"}, {"name": "[oss-security] 20140619 [OSSA 2014-020] XSS in Swift requests through WWW-Authenticate header  (CVE-2014-3497)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/06/19/10"}, {"name": "68116", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/68116"}, {"name": "[openstack-announce] 20140619 [OSSA 2014-020] XSS in Swift requests through WWW-Authenticate header (CVE-2014-3497)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.openstack.org/pipermail/openstack-announce/2014-June/000243.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://review.openstack.org/#/c/101032/"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:43:06.335Z"}, "title": "CVE Program Container", "references": [{"name": "USN-2256-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2256-1"}, {"name": "59532", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/59532"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://review.openstack.org/#/c/101031/"}, {"name": "[oss-security] 20140619 [OSSA 2014-020] XSS in Swift requests through WWW-Authenticate header  (CVE-2014-3497)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2014/06/19/10"}, {"name": "68116", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/68116"}, {"name": "[openstack-announce] 20140619 [OSSA 2014-020] XSS in Swift requests through WWW-Authenticate header (CVE-2014-3497)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.openstack.org/pipermail/openstack-announce/2014-June/000243.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://review.openstack.org/#/c/101032/"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3497", "datePublished": "2014-07-03T17:00:00", "dateReserved": "2014-05-14T00:00:00", "dateUpdated": "2024-08-06T10:43:06.335Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:swift:1.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "8597C3D7-2CFA-439B-82D6-2A651F74E5BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:swift:1.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "8EFF63A3-C15C-49A2-AD88-CAA98184C1CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:swift:1.13.0:*:*:*:*:*:*:*", "matchCriteriaId": "433EDE19-9BF8-4736-B792-EEE1296114D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:swift:1.13.1:*:*:*:*:*:*:*", "matchCriteriaId": "67675C43-C258-41DE-BD75-CC5E2168E82D", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:swift:1.13.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "9E41D234-69D2-47C9-B0CB-E8FA80CF1623", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:swift:1.13.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "24229BAF-FF4A-4ACF-9379-74D104F5E558", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header."}, {"lang": "es", "value": "Vulnerabilidad de XSS en OpenStack Swift 1.11.0 hasta 1.13.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de la cabecera WWW-Authenticate."}], "id": "CVE-2014-3497", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-07-03T17:55:06.030", "references": [{"source": "secalert@redhat.com", "url": "http://lists.openstack.org/pipermail/openstack-announce/2014-June/000243.html"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/59532"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2014/06/19/10"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/68116"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2256-1"}, {"source": "secalert@redhat.com", "url": "https://review.openstack.org/#/c/101031/"}, {"source": "secalert@redhat.com", "url": "https://review.openstack.org/#/c/101032/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.openstack.org/pipermail/openstack-announce/2014-June/000243.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/59532"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2014/06/19/10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/68116"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2256-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://review.openstack.org/#/c/101031/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://review.openstack.org/#/c/101032/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank OpenStack project for reporting this issue. Upstream acknowledges Globo.com Security Team as the original reporter.", "affected_release": [{"advisory": "RHSA-2014:0941", "cpe": "cpe:/a:redhat:openstack:5::el7", "package": "openstack-swift-0:1.13.1-3.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7", "release_date": "2014-07-24T00:00:00Z"}, {"advisory": "RHSA-2014:0941", "cpe": "cpe:/a:redhat:openstack:5::el7", "package": "python-swiftclient-0:2.1.0-2.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7", "release_date": "2014-07-24T00:00:00Z"}], "bugzilla": {"description": "openstack-swift: XSS in Swift requests through WWW-Authenticate header", "id": "1110809", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1110809"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header.", "It was found that Swift did not escape all HTTP header values, allowing data to be injected into the responses sent from the Swift server. This could lead to cross-site scripting attacks (and possibly other impacts) if a user were tricked into clicking on a malicious URL."], "name": "CVE-2014-3497", "package_state": [{"cpe": "cpe:/a:redhat:openstack:3", "fix_state": "Not affected", "package_name": "openstack-swift", "product_name": "Red Hat OpenStack Platform 3"}, {"cpe": "cpe:/a:redhat:openstack:4", "fix_state": "Not affected", "package_name": "openstack-swift", "product_name": "Red Hat OpenStack Platform 4"}], "public_date": "2014-06-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-3497\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3497"], "threat_severity": "Moderate"}