CVE-2022-23451
CVSS V2 None
CVSS V3 High 8.1
Description
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.
Overview
- CVE ID
- CVE-2022-23451
- Assigner
- secalert@redhat.com
- Vulnerability Status
- Modified
- Published Version
- 2022-09-06T18:15:10
- Last Modified Date
- 2023-02-12T22:15:24
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:openstack:barbican:*:*:*:*:*:*:*:* | 1 | OR | 14.0.0 | |
| cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:* | 1 | OR |
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- NONE
- Availability Impact
- HIGH
- Base Score
- 8.1
- Base Severity
- HIGH
- Exploitability Score
- 2.8
- Impact Score
- 5.2
References
| Reference URL | Reference Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2022:5114 | |
| https://access.redhat.com/errata/RHSA-2022:8874 | |
| https://access.redhat.com/security/cve/CVE-2022-23451 | Issue Tracking Third Party Advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=2022878 | Issue Tracking Permissions Required |
| https://bugzilla.redhat.com/show_bug.cgi?id=2025089 | Issue Tracking Third Party Advisory |
| https://review.opendev.org/c/openstack/barbican/+/811236 | Patch Third Party Advisory |
| https://storyboard.openstack.org/#%21/story/2009253 |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-23451 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23451 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-09-06 19:00:14 | Added to TrackCVE | |||
| 2023-02-02 22:14:30 | 2023-02-02T21:22:07 | CVE Modified Date | updated | |
| 2023-02-02 22:14:30 | Analyzed | Modified | Vulnerability Status | updated |
| 2023-02-02 22:14:33 | References | updated | ||
| 2023-02-12 23:14:05 | 2023-02-12T22:15:24 | CVE Modified Date | updated |