CVE-2022-23451 - OpenCVE

An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Openstack Platform
Openstack	Barbican

Configuration 1 [-]

cpe:2.3:a:openstack:barbican:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:redhat:openstack_platform:13.0:::::::*
	cpe:2.3:a:redhat:openstack_platform:16.1:::::::*
	cpe:2.3:a:redhat:openstack_platform:16.2:::::::*

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2022-23451	Issue Tracking Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2022878	Issue Tracking Permissions Required
https://bugzilla.redhat.com/show_bug.cgi?id=2025089	Issue Tracking Third Party Advisory
https://review.opendev.org/c/openstack/barbican/+/811236	Patch Third Party Advisory
https://storyboard.openstack.org/#%21/story/2009253

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2022-09-06T17:18:52

Updated: 2022-09-06T17:18:52

Reserved: 2022-01-19T00:00:00

Link: CVE-2022-23451

JSON object: View

NVD Information

Status : Modified

Published: 2022-09-06T18:15:10.640

Modified: 2023-02-12T22:15:24.587

Link: CVE-2022-23451

JSON object: View

Redhat Information

No data.

CWE

CWE-863

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:barbican:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0E48953-548A-4FDC-944E-A86EA5908E9A", "versionEndExcluding": "14.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "C52600BF-9E87-4CD2-91F3-685AFE478C1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*", "matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*", "matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources."}, {"lang": "es", "value": "Se ha encontrado un fallo de autorizaci\u00f3n en openstack-barbican. Las reglas de pol\u00edtica por defecto para la API de metadatos secretos permit\u00edan a cualquier usuario autenticado a\u00f1adir, modificar o eliminar metadatos de cualquier secreto independientemente de su propiedad. Este fallo permite a un atacante en la red modificar o eliminar datos protegidos, causando una denegaci\u00f3n de servicio al consumir recursos protegidos.\n"}], "id": "CVE-2022-23451", "lastModified": "2023-02-12T22:15:24.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-06T18:15:10.640", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2022-23451"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022878"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025089"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://review.opendev.org/c/openstack/barbican/+/811236"}, {"source": "secalert@redhat.com", "url": "https://storyboard.openstack.org/#%21/story/2009253"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Secondary"}]}