CVE-2022-44020

2022-10-3000:15:10

CWE-281

mitre

web.nvd.nist.gov

cve-2022-44020

openstack

sushy-tools

virtualbmc

password protection

libvirt xml domain

security issue

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

17.8%

JSON

An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. Changing the boot device configuration with these packages removes password protection from the managed libvirt XML domain. NOTE: this only affects an “unsupported, production-like configuration.”

Affected configurations

Nvd

Node

opendevsushy-toolsRange<0.21.1openstack

opendevvirtualbmcRange<3.0.0openstack

Node

fedoraprojectfedoraMatch35

fedoraprojectfedoraMatch36

fedoraprojectfedoraMatch37

VendorProductVersionCPE
opendevsushy-tools*cpe:2.3:a:opendev:sushy-tools:*:*:*:*:*:openstack:*:*
opendevvirtualbmc*cpe:2.3:a:opendev:virtualbmc:*:*:*:*:*:openstack:*:*
fedoraprojectfedora35cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
fedoraprojectfedora36cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
fedoraprojectfedora37cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
opendev	sushy-tools	*	cpe:2.3:a:opendev:sushy-tools::::::openstack::*
opendev	virtualbmc	*	cpe:2.3:a:opendev:virtualbmc::::::openstack::*
fedoraproject	fedora	35	cpe:2.3:o:fedoraproject:fedora:35:::::::*
fedoraproject	fedora	36	cpe:2.3:o:fedoraproject:fedora:36:::::::*
fedoraproject	fedora	37	cpe:2.3:o:fedoraproject:fedora:37:::::::*