CVE-2022-23451

high

Description

An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.

References

https://storyboard.openstack.org/#%21/story/2009253

https://review.opendev.org/c/openstack/barbican/+/811236

https://bugzilla.redhat.com/show_bug.cgi?id=2025089

https://bugzilla.redhat.com/show_bug.cgi?id=2022878

https://access.redhat.com/security/cve/CVE-2022-23451

Details

Source: Mitre, NVD

Published: 2022-09-06

Updated: 2023-02-12

Risk Information

CVSS v2

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Severity: High