Bug 2125404 (CVE-2022-3100) - CVE-2022-3100 openstack-barbican: access policy bypass via query string injection
Summary: CVE-2022-3100 openstack-barbican: access policy bypass via query string injec...
Alias: CVE-2022-3100
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2122347 2125406 2125407 2126199 2131829
Blocks: 2123858
TreeView+ depends on / blocked
Reported: 2022-09-08 21:16 UTC by Anten Skrabec
Modified: 2022-11-28 22:28 UTC (History)
9 users (show)

Fixed In Version: openstack-barbican-12.0.1-0.20220614210405
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API.
Clone Of:
Last Closed: 2022-11-28 22:28:37 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:6768 0 None None None 2022-10-04 11:19:46 UTC
Red Hat Product Errata RHBA-2022:6770 0 None None None 2022-10-04 11:32:04 UTC
Red Hat Product Errata RHBA-2022:6771 0 None None None 2022-10-04 11:34:12 UTC
Red Hat Product Errata RHBA-2022:6772 0 None None None 2022-10-04 11:46:10 UTC
Red Hat Product Errata RHSA-2022:6750 0 None None None 2022-09-29 12:38:40 UTC

Description Anten Skrabec 2022-09-08 21:16:35 UTC
Barbican is including the contents of the request query string in the target data that is used by oslo.policy to enforce policy.

Since oslo.policy uses this data to do string interpolation into the policy rules before enforcing the policy, it gives a malicious user the opportunity to craft query strings to manipulate the policy in arbitrary ways.

For example, a malicious user with a Keystone account is able to decrypt any secret as long as they know the secret's ID by using a specifically crafted query string:

    GET /v1/secrets/{secret-id}/payload?target.secret.read=read

Using this query string, the malicious user is able to fool Barbican into thinking that the user is in the ACL for the secret, which allows for secret decryption.  Since the query string is applied to the target data after the data is fetched from the database, the user-provided query string overrides any values stored in the DB.  In this case, overriding "target.secret.read" to "read", which should only be set when a user is added to the ACL.

Comment 12 errata-xmlrpc 2022-09-29 12:38:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2
  Red Hat OpenStack Platform 17.0
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS
  Red Hat OpenStack Platform 13.0 - ELS

Via RHSA-2022:6750 https://access.redhat.com/errata/RHSA-2022:6750

Comment 13 Anten Skrabec 2022-10-03 20:23:50 UTC
Created openstack-barbican tracking bugs for this issue:

Affects: openstack-rdo [bug 2131829]

Comment 14 Product Security DevOps Team 2022-11-28 22:28:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.