CVE-2022-23451

CWE-863 — Incorrect Authorization9 documents7 sources

Severity

8.1HIGH

EPSS

0.4%

top 38.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Barbican Redhat Openstack Platform

Timeline

PublishedSep 6

Latest updateSep 7

Description

An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages6 packages

▶NVDopenstack/barbican< 14.0.0

▶CVEListV5openstack/barbicanFixed in v14.0.0

▶PyPIbarbican< 14.0.0

▶Debianbarbican< 1:14.0.0~rc1-2+2

▶Ubuntubarbican< 1:6.0.1-0ubuntu1.1+1

Patches

Patch: review.opendev.org ↗Patch: review.opendev.org ↗

🔴Vulnerability Details

OSV

Barbican authorization flaw before v14.0.0↗2022-09-07

▶

GHSA

Barbican authorization flaw before v14.0.0↗2022-09-07

▶

OSV

CVE-2022-23451: An authorization flaw was found in openstack-barbican↗2022-09-06

▶

CVEList

CVE-2022-23451: An authorization flaw was found in openstack-barbican↗2022-09-06

▶

OSV

barbican vulnerabilities↗2022-04-25

▶

📋Vendor Advisories

Ubuntu

Barbican vulnerabilities↗2022-04-25

▶

Debian

CVE-2022-23451: barbican - An authorization flaw was found in openstack-barbican. The default policy rules ...↗2022

▶

Red Hat

openstack-barbican: Barbican allows authenticated users to add/modify/delete arbitrary metadata on any secret↗2021-12-13

▶