CVE-2023-1633 - OpenCVE

A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Openstack Platform
Openstack	Barbican

Configuration 1 [-]

cpe:2.3:a:openstack:barbican:-:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:redhat:openstack_platform:16.1:::::::*
	cpe:2.3:a:redhat:openstack_platform:16.2:::::::*
	cpe:2.3:a:redhat:openstack_platform:17.0:::::::*

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2023-1633	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2181761	Issue Tracking Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2023-09-24T00:09:50.215Z

Updated: 2023-09-24T00:09:50.215Z

Reserved: 2023-03-25T17:59:57.293Z

Link: CVE-2023-1633

JSON object: View

NVD Information

Status : Modified

Published: 2023-09-24T01:15:43.760

Modified: 2023-11-07T04:04:24.977

Link: CVE-2023-1633

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-1633", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-03-25T17:59:57.293Z", "datePublished": "2023-09-24T00:09:50.215Z", "dateUpdated": "2023-09-24T00:09:50.215Z"}, "containers": {"cna": {"title": "Insecure barbican configuration file leaking credential", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials."}], "affected": [{"product": "openstack-barbican", "vendor": "n/a", "defaultStatus": "affected"}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 13 (Queens)", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-barbican", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:openstack:13"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-barbican", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openstack:16.1"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-barbican", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openstack:16.2"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.0", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-barbican", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openstack:17.0"]}, {"product": "OpenStack RDO", "vendor": "RDO", "collectionURL": "https://repos.fedorapeople.org/repos/openstack/", "packageName": "openstack-barbican", "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1633", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181761", "name": "RHBZ#2181761", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-04-21T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "timeline": [{"lang": "en", "time": "2023-03-25T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-04-21T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Ade Lee (Red Hat) and Grzegorz Grasza (Red Hat)."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-09-24T00:09:50.215Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:barbican:-:*:*:*:*:*:*:*", "matchCriteriaId": "596EFC6C-4D91-4EDF-9EC6-1C58EB485C5E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*", "matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*", "matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:17.0:*:*:*:*:*:*:*", "matchCriteriaId": "F7076B1E-0529-43CC-828B-45C2ED11F9F6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials."}, {"lang": "es", "value": "Se encontr\u00f3 una falla de fuga de credenciales en OpenStack Barbican. Esta falla permite que un atacante autenticado local lea el archivo de configuraci\u00f3n y obtenga acceso a credenciales sensibles."}], "id": "CVE-2023-1633", "lastModified": "2023-11-07T04:04:24.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.7, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-09-24T01:15:43.760", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-1633"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181761"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "secalert@redhat.com", "type": "Secondary"}]}