CVE 2015-1856
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.
Related bugs and status
CVE-2015-1856 (Candidate) is related to these bugs:
Bug #1419916: Container-sync doesn't timeout when putting/deleting object
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1419916 | Container-sync doesn't timeout when putting/deleting object | OpenStack Object Storage (swift) | Undecided | Fix Released | ||
Bug #1425679: swift-object-info should try harder on tombstones
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1425679 | swift-object-info should try harder on tombstones | OpenStack Object Storage (swift) | Wishlist | Fix Released | ||
Bug #1428866: swift-object-info display for sysmeta
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1428866 | swift-object-info display for sysmeta | OpenStack Object Storage (swift) | Wishlist | Fix Released | ||
Bug #1430645: [OSSA 2015-006] unauthorized delete from container with x-version-location (CVE-2015-1856)
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1430645 | [OSSA 2015-006] unauthorized delete from container with x-version-location (CVE-2015-1856) | OpenStack Object Storage (swift) | Undecided | Fix Released | ||
| 1430645 | [OSSA 2015-006] unauthorized delete from container with x-version-location (CVE-2015-1856) | OpenStack Security Advisory | Medium | Fix Released | ||
Bug #1434465: Tempauth Fails with Authorization Header
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1434465 | Tempauth Fails with Authorization Header | OpenStack Object Storage (swift) | Undecided | Fix Released | ||
Bug #1437442: v1 in the API url seems to be a placeholder
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1437442 | v1 in the API url seems to be a placeholder | OpenStack Object Storage (swift) | High | Fix Released | ||
Bug #1438579: swift-ring-builder - empty device name
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1438579 | swift-ring-builder - empty device name | OpenStack Object Storage (swift) | Undecided | Fix Released | ||
Bug #1441599: test_policy_IO_override from test.unit.proxy.test_server.TestObjectController randomly fails
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1441599 | test_policy_IO_override from test.unit.proxy.test_server.TestObjectController randomly fails | OpenStack Object Storage (swift) | Undecided | Fix Released | ||
Bug #1442041: Unauthorized delete of versioned Swift object
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1442041 | Unauthorized delete of versioned Swift object | Mirantis OpenStack | Critical | Fix Released | ||
| 1442041 | Unauthorized delete of versioned Swift object | Mirantis OpenStack 6.1.x | Critical | Fix Released | ||
| 1442041 | Unauthorized delete of versioned Swift object | Mirantis OpenStack 6.0.x | Critical | Fix Released | ||
| 1442041 | Unauthorized delete of versioned Swift object | Mirantis OpenStack 5.1.x | Critical | Fix Released | ||
Bug #1444327: String not translatable in swift/common/manager.py
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1444327 | String not translatable in swift/common/manager.py | OpenStack Object Storage (swift) | Undecided | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
