Key Vulnerability Information: Bug ID: OSSA 2015-006 CVE ID: CVE-2015-1856 Description: Unauthorized delete from container with x-version-location. This vulnerability allows an authenticated user to delete the most recent versions of a versioned object within a container, even if they do not have the necessary delete permissions on that object. Impact: - Importance: Medium - Products: OpenStack Object Storage (swift), OpenStackSecurityAdvisory - Milestone: OpenStack Object Storage (swift) 2.3.0 "kilo" Status: Fix Released Tags: in-stable-icehouse, in-stable-juno Fix Details: - Call the authorize callback for the original DELETE request before handling the version case to ensure the request is authorized to DELETE objects in the source container. - Make the same call to the authorize callback again for the full-through DELETE to the x-versions-location container. CV References: CVE-2015-1856 Discussion Points: Workaround or Mitigation Strategies Confirmation of the vulnerability impact across different versions (1.5.0 to 2.2.2) Inclusion in OSA (OpenStack Security Advisory) and CVE request Testing and patch release timeline (Target milestone: OpenStack Object Storage (swift) 2.3.0 "kilo")