Bug 2025089 (CVE-2022-23451) - CVE-2022-23451 openstack-barbican: Barbican allows authenticated users to add/modify/delete arbitrary metadata on any secret
Summary: CVE-2022-23451 openstack-barbican: Barbican allows authenticated users to add...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-23451
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2043271 2043273 2043274
Blocks: 2025092 2042487
TreeView+ depends on / blocked
 
Reported: 2021-11-19 20:36 UTC by Pedro Sampaio
Modified: 2023-02-01 23:23 UTC (History)
12 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2022-06-22 20:06:32 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5114 0 None None None 2022-06-22 16:05:56 UTC
Red Hat Product Errata RHSA-2022:8874 0 None None None 2022-12-07 20:27:45 UTC

Description Pedro Sampaio 2021-11-19 20:36:16 UTC 
The default policy rules for the secret metadata API allow any authenticated user to add, modify, or delete metadata from any secret regardless of ownership.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=2022878
Comment 1 Summer Long 2021-12-13 23:42:05 UTC 
Upstream issue: https://storyboard.openstack.org/#!/story/2009253
Comment 2 Summer Long 2022-01-20 23:24:46 UTC 
Created openstack-barbican tracking bugs for this issue:

Affects: openstack-rdo [bug 2043274]
Comment 6 errata-xmlrpc 2022-06-22 16:05:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:5114 https://access.redhat.com/errata/RHSA-2022:5114
Comment 7 Product Security DevOps Team 2022-06-22 20:06:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-23451
Comment 8 errata-xmlrpc 2022-12-07 20:27:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:8874 https://access.redhat.com/errata/RHSA-2022:8874
Note You need to log in before you can comment on or make changes to this bug.