High severityNVD Advisory· Published Jan 23, 2014· Updated Apr 29, 2026
CVE-2014-0006
CVE-2014-0006
Description
The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 through 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret URLs by leveraging an object name and a timing side-channel attack.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
swiftPyPI | >= 1.4.6, <= 1.8.0 | — |
swiftPyPI | >= 1.9.0, <= 1.10.0 | — |
swiftPyPI | >= 1.11.0, < 1.12.0 | 1.12.0 |
Affected products
16cpe:2.3:a:openstack:swift:1.10.0:*:*:*:*:*:*:*+ 15 more
- cpe:2.3:a:openstack:swift:1.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:swift:1.9.2:*:*:*:*:*:*:*
Patches
1754633988931Use constant time comparison in tempURL
1 file changed · +8 −2
swift/common/middleware/tempurl.py+8 −2 modified@@ -106,7 +106,7 @@ from swift.proxy.controllers.base import get_account_info from swift.common.swob import HeaderKeyDict, HTTPUnauthorized from swift.common.utils import split_path, get_valid_utf8_str, \ - register_swift_info, get_hmac + register_swift_info, get_hmac, streq_const_time #: Default headers to remove from incoming requests. Simply a whitespace @@ -284,7 +284,13 @@ def __call__(self, env, start_response): request_method='PUT')) else: hmac_vals = self._get_hmacs(env, temp_url_expires, keys) - if temp_url_sig not in hmac_vals: + + # While it's true that any() will short-circuit, this doesn't affect + # the timing-attack resistance since the only way this will + # short-circuit is when a valid signature is passed in. + is_valid_hmac = any(streq_const_time(temp_url_sig, hmac) + for hmac in hmac_vals) + if not is_valid_hmac: return self._invalid(env, start_response) self._clean_incoming_headers(env) env['swift.authorize'] = lambda req: None
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- www.openwall.com/lists/oss-security/2014/01/17/5nvdPatchWEB
- bugs.launchpad.net/swift/+bug/1265665nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-cf9m-q836-vf26ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-0006ghsaADVISORY
- rhn.redhat.com/errata/RHSA-2014-0232.htmlnvdWEB
- github.com/openstack/swift/commit/754633988931e4095530f6b13389c254096eb485ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/swift/PYSEC-2014-116.yamlghsaWEB
News mentions
0No linked articles in our index yet.