CVE-2017-16613

CVE-2017-16613 is a critical-severity vulnerability in Openstack Swauth with a CVSS 3.x base score of 9.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-287.

Key facts

Description

An issue was discovered in middleware.py in OpenStack Swauth through 1.2.0 when used with OpenStack Swift through 2.15.1. The Swift object store and proxy server are saving (unhashed) tokens retrieved from the Swauth middleware authentication mechanism to a log file as part of a GET URI. This allows attackers to bypass authentication by inserting a token into an X-Auth-Token header of a new request. NOTE: github.com/openstack/swauth URLs do not mean that Swauth is maintained by an official OpenStack project team.

Frequently asked questions

What is CVE-2017-16613?
An issue was discovered in middleware.py in OpenStack Swauth through 1.2.0 when used with OpenStack Swift through 2.15.1. The Swift object store and proxy server are saving (unhashed) tokens retrieved from the Swauth middleware authentication mechanism to a log file as part of a GET URI. This allows attackers to bypass authentication by inserting a token into an X-Auth-Token header of a new request. NOTE: github.com/openstack/swauth URLs do not mean that Swauth is maintained by an official OpenStack project team.
How severe is CVE-2017-16613?
CVE-2017-16613 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2017-16613 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 8% (94th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2017-16613?
CVE-2017-16613 primarily affects Openstack Swauth. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2017-16613?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
When was CVE-2017-16613 published?
CVE-2017-16613 was published on 2017-11-21 and last updated on 2026-06-17.

References

Affected products (3)

Other CWE-287 (Improper Authentication) vulnerabilities

Browse all CWE-287 (Improper Authentication) vulnerabilities →