Vulnerability Description
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openstack | Barbican | < 14.0.0 |
| Redhat | Openstack Platform | 13.0 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/security/cve/CVE-2022-23451Issue TrackingThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2022878Issue TrackingPermissions Required
- https://bugzilla.redhat.com/show_bug.cgi?id=2025089Issue TrackingThird Party Advisory
- https://review.opendev.org/c/openstack/barbican/+/811236PatchThird Party Advisory
- https://storyboard.openstack.org/#%21/story/2009253
- https://access.redhat.com/security/cve/CVE-2022-23451Issue TrackingThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2022878Issue TrackingPermissions Required
- https://bugzilla.redhat.com/show_bug.cgi?id=2025089Issue TrackingThird Party Advisory
- https://review.opendev.org/c/openstack/barbican/+/811236PatchThird Party Advisory
- https://storyboard.openstack.org/#%21/story/2009253
FAQ
What is CVE-2022-23451?
CVE-2022-23451 is a vulnerability with a CVSS score of 8.1 (HIGH). An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless...
How severe is CVE-2022-23451?
CVE-2022-23451 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23451?
Check the references section above for vendor advisories and patch information. Affected products include: Openstack Barbican, Redhat Openstack Platform.