Vulnerability Name:

CVE-2015-1856 (CCN-102283)

Assigned:2015-04-14
Published:2015-04-14
Updated:2018-01-05
Summary:OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.
CVSS v3 Severity:4.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:5.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:P)
4.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): Partial
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:P)
4.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-264
Vulnerability Consequences:Informational
References:Source: MITRE
Type: CNA
CVE-2015-1856

Source: FEDORA
Type: UNKNOWN
FEDORA-2015-12245

Source: MLIST
Type: Vendor Advisory
[openstack-announce] 20150414 [OSSA 2015-006] Unauthorized delete of versioned Swift object (CVE-2015-1856)

Source: SUSE
Type: UNKNOWN
SUSE-SU-2015:1846

Source: REDHAT
Type: UNKNOWN
RHSA-2015:1681

Source: REDHAT
Type: UNKNOWN
RHSA-2015:1684

Source: REDHAT
Type: UNKNOWN
RHSA-2015:1845

Source: REDHAT
Type: UNKNOWN
RHSA-2015:1846

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

Source: BID
Type: Third Party Advisory, VDB Entry
74182

Source: CCN
Type: BID-74182
OpenStack Swift CVE-2015-1856 Arbitrary File Deletion Vulnerability

Source: UBUNTU
Type: Third Party Advisory
USN-2704-1

Source: CCN
Type: OSSA 2015-006
unauthorized delete from container with x-version-location (CVE-2015-1856)

Source: CONFIRM
Type: Vendor Advisory
https://bugs.launchpad.net/swift/+bug/1430645

Source: XF
Type: UNKNOWN
openstack-cve20151856-file-delete(102283)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-1856

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openstack:swift:*:*:*:*:*:*:*:* (Version <= 2.2.2)

    • Configuration 2:
  • cpe:/o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:55241
    P
    		Security update for file (Important)
    2021-09-02
    oval:org.opensuse.security:def:55924
    P
    		Security update for arpwatch (Important)
    2021-06-28
    oval:org.opensuse.security:def:56483
    P
    		Security update for sssd (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55479
    P
    		Security update for openssl (Important)
    2020-12-01
    oval:org.opensuse.security:def:56209
    P
    		Security update for cpio (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55079
    P
    		cpp48 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56521
    P
    		Security update for gpg2 (Important)
    2020-12-01
    oval:org.opensuse.security:def:55652
    P
    		Security update for glibc (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56317
    P
    		Security update for sudo (Important)
    2020-12-01
    oval:org.opensuse.security:def:55101
    P
    		eog on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56602
    P
    		Security update for openssl (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55758
    P
    		Security update for xen (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56409
    P
    		Security update for xen (Important)
    2020-12-01
    oval:org.opensuse.security:def:55078
    P
    		cpio on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:20151856
    V
    		CVE-2015-1856
    2020-11-28
    oval:com.ubuntu.precise:def:20151856000
    V
    		CVE-2015-1856 on Ubuntu 12.04 LTS (precise) - medium.
    2015-04-17
    oval:com.ubuntu.trusty:def:20151856000
    V
    		CVE-2015-1856 on Ubuntu 14.04 LTS (trusty) - medium.
    2015-04-17
    BACK
    openstack swift *
    canonical ubuntu linux 12.04
    canonical ubuntu linux 14.04
    canonical ubuntu linux 15.04