Authorization Flaw in OpenStack Barbican Allows Data Modification by Unauthorized Users
CVE-2022-23451

8.1HIGH

Key Information:

Vendor
Openstack
Status
Openstack/barbican
Vendor
CVE Published:
6 September 2022

Summary

An authorization flaw exists in OpenStack Barbican, where default policy rules allow any authenticated user to interact with secret metadata inappropriately. This includes the ability to add, modify, or delete metadata for any secret without ownership verification. An attacker could exploit this flaw to alter or remove critical data, potentially leading to denial of service by consuming protected resources and compromising data integrity.

Affected Version(s)

openstack/barbican Fixed in v14.0.0

References

https://bugzilla.redhat.com/show_bug.cgi?id=2025089
x_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=2022878
x_refsource_MISC
https://storyboard.openstack.org/#%21/story/2009253
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.