CVE-2022-47950: 
Python vulnerability analysis and mitigation

CVE-2022-47950 affects OpenStack Swift versions before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. The vulnerability was discovered by Sébastien Meriot from OVH and reported on January 17, 2023. The issue affects OpenStack Swift's S3 API implementation, impacting both s3api deployments (Rocky or later) and swift3 deployments (Queens and earlier, which is no longer actively developed). Only deployments with S3 compatibility enabled are affected (OpenStack Advisory, Debian Advisory).

The vulnerability exists in Swift's S3 XML parser implementation. The issue stems from improper handling of XML entities in the parser, which allows authenticated users to exploit the XML parsing functionality. The vulnerability is located in the file swift/common/middleware/s3api/etree.py. The security impact has been rated as Important, with a CVSS v3.0 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) (OSS Security).

When exploited, this vulnerability allows an authenticated user to coerce the S3 API into returning arbitrary file contents from the host server. This results in unauthorized read access to potentially sensitive data stored on the system. The impact is limited to deployments that have S3 compatibility enabled (OpenStack Advisory).

The vulnerability has been fixed in Swift versions 2.28.1, 2.29.2, and versions after 2.30.0. Organizations can either patch their Swift installations to these versions or disable S3 compatibility if not required. Patches have been provided for multiple OpenStack releases including Antelope, Wallaby, Xena, Yoga, and Zed. Various Linux distributions have also released security updates, including Red Hat, Debian, and Ubuntu (Red Hat Advisory, OpenStack Advisory).