Bug 2025089 (CVE-2022-23451)
Summary: | CVE-2022-23451 openstack-barbican: Barbican allows authenticated users to add/modify/delete arbitrary metadata on any secret | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | alee, dbecker, dmendiza, hrybacki, jjoyce, jschluet, lhh, lpeer, mburns, sclewis, security-response-team, slinaber |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-06-22 20:06:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2043274, 2043271, 2043273 | ||
Bug Blocks: | 2025092, 2042487 |
Description
Pedro Sampaio
2021-11-19 20:36:16 UTC
Upstream issue: https://storyboard.openstack.org/#!/story/2009253 Created openstack-barbican tracking bugs for this issue: Affects: openstack-rdo [bug 2043274] This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:5114 https://access.redhat.com/errata/RHSA-2022:5114 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-23451 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2022:8874 https://access.redhat.com/errata/RHSA-2022:8874 |