{"containers": {"cna": {"affected": [{"product": "openstack/barbican", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in v14.0.0"}]}], "descriptions": [{"lang": "en", "value": "An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 - Incorrect Authorization.", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-06T17:18:52", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025089"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022878"}, {"tags": ["x_refsource_MISC"], "url": "https://storyboard.openstack.org/#%21/story/2009253"}, {"tags": ["x_refsource_MISC"], "url": "https://review.opendev.org/c/openstack/barbican/+/811236"}, {"tags": ["x_refsource_MISC"], "url": "https://access.redhat.com/security/cve/CVE-2022-23451"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.011Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025089"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022878"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://storyboard.openstack.org/#%21/story/2009253"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://review.opendev.org/c/openstack/barbican/+/811236"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://access.redhat.com/security/cve/CVE-2022-23451"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-23451", "datePublished": "2022-09-06T17:18:52", "dateReserved": "2022-01-19T00:00:00", "dateUpdated": "2024-08-03T03:43:46.011Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:barbican:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0E48953-548A-4FDC-944E-A86EA5908E9A", "versionEndExcluding": "14.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "C52600BF-9E87-4CD2-91F3-685AFE478C1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*", "matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*", "matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources."}, {"lang": "es", "value": "Se ha encontrado un fallo de autorizaci\u00f3n en openstack-barbican. Las reglas de pol\u00edtica por defecto para la API de metadatos secretos permit\u00edan a cualquier usuario autenticado a\u00f1adir, modificar o eliminar metadatos de cualquier secreto independientemente de su propiedad. Este fallo permite a un atacante en la red modificar o eliminar datos protegidos, causando una denegaci\u00f3n de servicio al consumir recursos protegidos.\n"}], "id": "CVE-2022-23451", "lastModified": "2024-11-21T06:48:34.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-06T18:15:10.640", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2022-23451"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022878"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025089"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://review.opendev.org/c/openstack/barbican/+/811236"}, {"source": "secalert@redhat.com", "url": "https://storyboard.openstack.org/#%21/story/2009253"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2022-23451"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022878"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025089"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://review.opendev.org/c/openstack/barbican/+/811236"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://storyboard.openstack.org/#%21/story/2009253"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Douglas Mendiz\u00e1bal (Red Hat).", "affected_release": [{"advisory": "RHSA-2022:8874", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "openstack-barbican-0:9.0.1-1.20220916133702.07be198.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2022-12-07T00:00:00Z"}, {"advisory": "RHSA-2022:5114", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "openstack-barbican-0:9.0.2-2.20220122185348.c718783.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2022-06-22T00:00:00Z"}], "bugzilla": {"description": "openstack-barbican: Barbican allows authenticated users to add/modify/delete arbitrary metadata on any secret", "id": "2025089", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025089"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "status": "verified"}, "cwe": "CWE-863", "details": ["An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.", "An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources."], "name": "CVE-2022-23451", "package_state": [{"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "openstack-barbican", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2021-12-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-23451\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-23451"], "threat_severity": "Moderate"}