CVE-2012-4406

CRITICAL

Openstack Swift < 1.7.0 - Insecure Deserialization

Title source: rule

Description

OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.

References (11)

[Mailing List] http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089472.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2012-1379.html

[Not Applicable] http://rhn.redhat.com/errata/RHSA-2013-0691.html

[Mailing List] http://www.openwall.com/lists/oss-security/2012/09/05/16

[Mailing List] http://www.openwall.com/lists/oss-security/2012/09/05/4

[Broken Link] http://www.securityfocus.com/bid/55420

[Issue Tracking, Patch] https://bugs.launchpad.net/swift/+bug/1006414

[Issue Tracking, Patch] https://bugzilla.redhat.com/show_bug.cgi?id=854757

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/79140

[Patch] https://github.com/openstack/swift/commit/e1ff51c04554d51616d2845f92ab726cb0e5831a

[Release Notes] https://launchpad.net/swift/+milestone/1.7.0

Scores

CVSS v3 9.8

EPSS 0.0471

EPSS Percentile 89.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status draft

Affected Products (9)

openstack/swift < 1.7.0

fedoraproject/fedora

redhat/gluster_storage_management_console

redhat/gluster_storage_server_for_on-premise

redhat/storage

redhat/storage_for_public_cloud

redhat/enterprise_linux_server

pypi/swift < 1.7.0PyPI

Timeline

Published Oct 22, 2012

Tracked Since Feb 18, 2026