CVE-2014-3497: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
(updated )
It was found that Swift does not escape all HTTP header values, allowing data to be injected into the responses sent from the Swift server. This could lead to cross-site scripting attacks (and possibly other impacts) if a user were tricked into clicking on a malicious URL.
References
- lists.openstack.org/pipermail/openstack-announce/2014-June/000243.html
- www.openwall.com/lists/oss-security/2014/06/19/10
- www.ubuntu.com/usn/USN-2256-1
- access.redhat.com/errata/RHSA-2014:0941
- access.redhat.com/security/cve/CVE-2014-3497
- bugzilla.redhat.com/show_bug.cgi?id=1110809
- github.com/advisories/GHSA-66vj-393f-hxfv
- nvd.nist.gov/vuln/detail/CVE-2014-3497
- review.openstack.org/
- review.openstack.org/
- web.archive.org/web/20200229060002/http://www.securityfocus.com/bid/68116
Code Behaviors & Features
Detect and mitigate CVE-2014-3497 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →