Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wMmpnLXE4aHctcDdnY84AAup4
Barbican authorization flaw before v14.0.0
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.
Permalink: https://github.com/advisories/GHSA-p2jg-q8hw-p7gcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wMmpnLXE4aHctcDdnY84AAup4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Identifiers: GHSA-p2jg-q8hw-p7gc, CVE-2022-23451
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-23451
- https://access.redhat.com/security/cve/CVE-2022-23451
- https://bugzilla.redhat.com/show_bug.cgi?id=2022878
- https://bugzilla.redhat.com/show_bug.cgi?id=2025089
- https://review.opendev.org/c/openstack/barbican/+/811236
- https://github.com/openstack/barbican/commit/7d270bacbe29a90a10f1855abc3b50dac0f08022
- https://access.redhat.com/errata/RHSA-2022:5114
- https://access.redhat.com/errata/RHSA-2022:8874
- https://github.com/advisories/GHSA-p2jg-q8hw-p7gc
Blast Radius: 3.9
Affected Packages
pypi:barbican
Dependent packages: 0Dependent repositories: 3
Downloads: 2,035 last month
Affected Version Ranges: < 14.0.0
Fixed in: 14.0.0
All affected versions: 8.0.0, 8.0.1, 9.0.0, 9.0.1, 10.0.0, 10.1.0, 11.0.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.0.2
All unaffected versions: 14.0.0, 14.0.1, 14.0.2, 15.0.0, 15.0.1, 16.0.0, 17.0.0, 18.0.0