CVE-2022-23451

2022-09-0618:15:10

CWE-863

[email protected]

web.nvd.nist.gov

openstack

barbican

authorization flaw

secret metadata

denial of service

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

46.9%

JSON

An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.

Affected configurations

Nvd

Node

openstackbarbicanRange<14.0.0

Node

redhatopenstack_platformMatch13.0

redhatopenstack_platformMatch16.1

redhatopenstack_platformMatch16.2

VendorProductVersionCPE
openstackbarbican*cpe:2.3:a:openstack:barbican:*:*:*:*:*:*:*:*
redhatopenstack_platform13.0cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*
redhatopenstack_platform16.1cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*
redhatopenstack_platform16.2cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openstack	barbican	*	cpe:2.3:a:openstack:barbican::::::::
redhat	openstack_platform	13.0	cpe:2.3:a:redhat:openstack_platform:13.0:::::::*
redhat	openstack_platform	16.1	cpe:2.3:a:redhat:openstack_platform:16.1:::::::*
redhat	openstack_platform	16.2	cpe:2.3:a:redhat:openstack_platform:16.2:::::::*