CVE-2012-4406

CRITICALCVSS 9.8

9.8

OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.

📋 Advisory Details (8)

Auto-updated Apr 29, 2026

Patch available. Sources: redhat.

generic

Do not use pickle for serialization in memcache, but JSON · openstack/swift@e1ff51c · GitHub

https://github.com/openstack/swift/commit/e1ff51c04554d51616d2845f92ab726cb0e5831a

generic

IBM X-Force Exchange

https://exchange.xforce.ibmcloud.com/vulnerabilities/79140

redhat✅ Patch Available

854757 – (CVE-2012-4406) CVE-2012-4406 Openstack-Swift: insecure use of python pickle()

https://bugzilla.redhat.com/show_bug.cgi?id=854757

generic

Bug #1006414 “Insecure loads()” : Bugs : OpenStack Object Storage (swift)

https://bugs.launchpad.net/swift/+bug/1006414

generic

oss-security - CVE-Request: openstack pickle de-serialization

http://www.openwall.com/lists/oss-security/2012/09/05/4

generic

oss-security - Re: CVE-Request: openstack pickle de-serialization

http://www.openwall.com/lists/oss-security/2012/09/05/16

generic

http://rhn.redhat.com/errata/RHSA-2013-0691.html

generic

http://rhn.redhat.com/errata/RHSA-2012-1379.html

Is Your Infrastructure Affected by CVE-2012-4406?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2012-4406

📅 Published

🔄 Last Modified

📋 Advisory Details (8)

Do not use pickle for serialization in memcache, but JSON · openstack/swift@e1ff51c · GitHub

IBM X-Force Exchange

854757 – (CVE-2012-4406) CVE-2012-4406 Openstack-Swift: insecure use of python pickle()

Bug #1006414 “Insecure loads()” : Bugs : OpenStack Object Storage (swift)

oss-security - CVE-Request: openstack pickle de-serialization

oss-security - Re: CVE-Request: openstack pickle de-serialization

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2012-4406?