CVE-2014-0006: OpenStack Swift Discloses Secret URLs to Timing Attack
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.4943%
CWE
Published
5/17/2022
Updated
11/26/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
swift | pip | >= 1.4.6, <= 1.8.0 | |
swift | pip | >= 1.9.0, <= 1.10.0 | |
swift | pip | = 1.11.0 | 1.12.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure timing-sensitive string comparison in TempURL middleware. The commit 7546339 shows the fix replaced the vulnerable 'in' check with a constant-time comparison using 'streq_const_time'. The original code path in the call method performed a linear scan of hmac_vals with short-circuiting logic, making response times dependent on input similarity to valid signatures. This matches the CVE description of a timing side-channel attack against TempURL signatures.