VDB
KO
HIGH

GHSA-g7jq-j257-rww2

OpenStack Swift: s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body

Details

In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / swift
Introduced in: 2.36.0

No fixed version published yet for swift (pip). Pin to a known-safe version or switch to an alternative.

PyPI / swift
Introduced in: 2.37.0

No fixed version published yet for swift (pip). Pin to a known-safe version or switch to an alternative.

References