CVE-2022-23451

moderate-risk
Published 2022-09-06

An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.

Do I need to act?

-
0.42% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / LOW complexity

Affected Products (4)

Barbican

Affected Vendors

Redhat Openstack

References (10)

Issue Tracking https://access.redhat.com/security/cve/CVE-2022-23451
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2022878
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2025089
Patch https://review.opendev.org/c/openstack/barbican/+/811236
https://storyboard.openstack.org/#%21/story/2009253
Issue Tracking https://access.redhat.com/security/cve/CVE-2022-23451
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2022878
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2025089
Patch https://review.opendev.org/c/openstack/barbican/+/811236
https://storyboard.openstack.org/#%21/story/2009253
40
/ 100
moderate-risk
Severity 28/34 · Critical
Exploitability 2/34 · Minimal
Exposure 10/34 · Low