PYSEC-2017-84

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/swauth/PYSEC-2017-84.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2017-84

Aliases

Published

2017-11-21T13:29:00Z

Modified

2024-05-01T11:41:24.675035Z

Summary

[none]

Details

An issue was discovered in middleware.py in OpenStack Swauth through 1.2.0 when used with OpenStack Swift through 2.15.1. The Swift object store and proxy server are saving (unhashed) tokens retrieved from the Swauth middleware authentication mechanism to a log file as part of a GET URI. This allows attackers to bypass authentication by inserting a token into an X-Auth-Token header of a new request. NOTE: github.com/openstack/swauth URLs do not mean that Swauth is maintained by an official OpenStack project team.

References

Affected packages

PyPI / swauth

Package

Name: swauth; View open source insights on deps.dev
Purl: pkg:pypi/swauth

Affected ranges

Type: GIT
Repo: https://github.com/openstack/swauth
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

70af7986265a3defea054c46efc82d0698917298

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.0

Affected versions

1.*

1.0.8

1.1.0

1.2.0