Vulnerability Details : CVE-2022-23452
An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
Vulnerability category: Denial of service
Exploit prediction scoring system (EPSS) score for CVE-2022-23452
Probability of exploitation activity in the next 30 days: 0.14%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 48 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-23452
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.9
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
1.2
|
3.6
|
NIST |
CWE ids for CVE-2022-23452
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2022-23452
-
https://storyboard.openstack.org/#%21/story/2009297
StoryBoard
-
https://access.redhat.com/security/cve/CVE-2022-23452
CVE-2022-23452- Red Hat Customer PortalThird Party Advisory
-
https://review.opendev.org/c/openstack/barbican/+/814200
Fix policy for adding a secret to a container (I821b4f59) · Gerrit Code ReviewPatch;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=2022908
Bug Access DeniedIssue Tracking;Permissions Required;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=2025090
2025090 – (CVE-2022-23452) CVE-2022-23452 openstack-barbican: Barbican allows anyone with an admin role to add their secrets to a different project's containersIssue Tracking;Third Party Advisory
Products affected by CVE-2022-23452
- cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:barbican:*:*:*:*:*:*:*:*