Authorization Flaw in OpenStack Barbican Allows Data Modification by Unauthorized Users
CVE-2022-23451
8.1HIGH
Summary
An authorization flaw exists in OpenStack Barbican, where default policy rules allow any authenticated user to interact with secret metadata inappropriately. This includes the ability to add, modify, or delete metadata for any secret without ownership verification. An attacker could exploit this flaw to alter or remove critical data, potentially leading to denial of service by consuming protected resources and compromising data integrity.
Affected Version(s)
openstack/barbican Fixed in v14.0.0
References
CVSS V3.1
Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved