All the vulnerabilites related to openstack - barbican
cve-2022-23452
Vulnerability from cvelistv5
Published
2022-09-01 20:57
Modified
2024-08-03 03:43
Severity ?
EPSS score ?
Summary
An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2025090 | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2022908 | x_refsource_MISC | |
| https://storyboard.openstack.org/#%21/story/2009297 | x_refsource_MISC | |
| https://review.opendev.org/c/openstack/barbican/+/814200 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/CVE-2022-23452 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | openstack/barbican |
Version: Fixed in v14.0.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:45.996Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025090"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022908"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://storyboard.openstack.org/#%21/story/2009297"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://review.opendev.org/c/openstack/barbican/+/814200"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-23452"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openstack/barbican",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in v14.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 - Incorrect Authorization.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-01T20:57:45",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025090"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022908"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://storyboard.openstack.org/#%21/story/2009297"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://review.opendev.org/c/openstack/barbican/+/814200"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-23452"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-23452",
"datePublished": "2022-09-01T20:57:45",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:43:45.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3100
Vulnerability from cvelistv5
Published
2023-01-18 00:00
Modified
2024-08-03 01:00
Severity ?
EPSS score ?
Summary
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Red Hat OpenStack Platform |
Version: 13.0-17.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-3100"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Red Hat OpenStack Platform",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "13.0-17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-18T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://access.redhat.com/security/cve/CVE-2022-3100"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-3100",
"datePublished": "2023-01-18T00:00:00",
"dateReserved": "2022-09-02T00:00:00",
"dateUpdated": "2024-08-03T01:00:10.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23451
Vulnerability from cvelistv5
Published
2022-09-06 17:18
Modified
2024-08-03 03:43
Severity ?
EPSS score ?
Summary
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2025089 | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2022878 | x_refsource_MISC | |
| https://storyboard.openstack.org/#%21/story/2009253 | x_refsource_MISC | |
| https://review.opendev.org/c/openstack/barbican/+/811236 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/CVE-2022-23451 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | openstack/barbican |
Version: Fixed in v14.0.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025089"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022878"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://storyboard.openstack.org/#%21/story/2009253"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://review.opendev.org/c/openstack/barbican/+/811236"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-23451"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openstack/barbican",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in v14.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 - Incorrect Authorization.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-06T17:18:52",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025089"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022878"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://storyboard.openstack.org/#%21/story/2009253"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://review.opendev.org/c/openstack/barbican/+/811236"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-23451"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-23451",
"datePublished": "2022-09-06T17:18:52",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:43:46.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1633
Vulnerability from cvelistv5
Published
2023-09-24 00:09
Modified
2024-09-24 15:00
Severity ?
EPSS score ?
Summary
A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-1633 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2181761 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | n/a | openstack-barbican | |||||||||||||||||||||
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:57:24.844Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-1633"
},
{
"name": "RHBZ#2181761",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181761"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1633",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T15:00:26.781162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T15:00:33.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "openstack-barbican",
"vendor": "n/a"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:13"
],
"defaultStatus": "unknown",
"packageName": "openstack-barbican",
"product": "Red Hat OpenStack Platform 13 (Queens)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.1"
],
"defaultStatus": "affected",
"packageName": "openstack-barbican",
"product": "Red Hat OpenStack Platform 16.1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "affected",
"packageName": "openstack-barbican",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.0"
],
"defaultStatus": "affected",
"packageName": "openstack-barbican",
"product": "Red Hat OpenStack Platform 17.0",
"vendor": "Red Hat"
},
{
"collectionURL": "https://repos.fedorapeople.org/repos/openstack/",
"defaultStatus": "affected",
"packageName": "openstack-barbican",
"product": "OpenStack RDO",
"vendor": "RDO"
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Ade Lee (Red Hat) and Grzegorz Grasza (Red Hat)."
}
],
"datePublic": "2023-04-21T00:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-24T00:09:50.215Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-1633"
},
{
"name": "RHBZ#2181761",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181761"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-03-25T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-04-21T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Insecure barbican configuration file leaking credential",
"x_redhatCweChain": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-1633",
"datePublished": "2023-09-24T00:09:50.215Z",
"dateReserved": "2023-03-25T17:59:57.293Z",
"dateUpdated": "2024-09-24T15:00:33.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1636
Vulnerability from cvelistv5
Published
2023-09-24 00:09
Modified
2024-09-24 15:00
Severity ?
EPSS score ?
Summary
A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-1636 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2181765 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | n/a | openstack-barbican | |||||||||||||||||||||
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:57:24.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-1636"
},
{
"name": "RHBZ#2181765",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181765"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T14:59:54.638602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T15:00:07.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "openstack-barbican",
"vendor": "n/a"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:13"
],
"defaultStatus": "unaffected",
"packageName": "openstack-barbican",
"product": "Red Hat OpenStack Platform 13 (Queens)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.1"
],
"defaultStatus": "affected",
"packageName": "openstack-barbican",
"product": "Red Hat OpenStack Platform 16.1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "affected",
"packageName": "openstack-barbican",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.0"
],
"defaultStatus": "affected",
"packageName": "openstack-barbican",
"product": "Red Hat OpenStack Platform 17.0",
"vendor": "Red Hat"
},
{
"collectionURL": "https://repos.fedorapeople.org/repos/openstack/",
"defaultStatus": "affected",
"packageName": "openstack-barbican",
"product": "OpenStack RDO",
"vendor": "RDO"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank ANSSI and Amossys for reporting this issue."
}
],
"datePublic": "2023-04-21T00:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "Improper Isolation or Compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-24T00:09:03.770Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-1636"
},
{
"name": "RHBZ#2181765",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181765"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-03-25T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-04-21T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Incomplete container isolation",
"x_redhatCweChain": "CWE-653: Improper Isolation or Compartmentalization"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-1636",
"datePublished": "2023-09-24T00:09:03.770Z",
"dateReserved": "2023-03-25T18:18:19.615Z",
"dateUpdated": "2024-09-24T15:00:07.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-09-24 01:15
Modified
2024-11-21 07:39
Severity ?
6.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Summary
A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2023-1636 | Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2181765 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2023-1636 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2181765 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openstack | barbican | - | |
| redhat | openstack_platform | 16.1 | |
| redhat | openstack_platform | 16.2 | |
| redhat | openstack_platform | 17.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:barbican:-:*:*:*:*:*:*:*",
"matchCriteriaId": "596EFC6C-4D91-4EDF-9EC6-1C58EB485C5E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:17.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F7076B1E-0529-43CC-828B-45C2ED11F9F6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en los contenedores OpenStack Barbican. Esta vulnerabilidad solo se aplica a implementaciones que utilizan una configuraci\u00f3n todo en uno. Los contenedores Barbican comparten el mismo espacio de nombres CGROUP, USER y NET con el sistema host y otros servicios OpenStack. Si alg\u00fan servicio se ve comprometido, podr\u00eda obtener acceso a los datos transmitidos hacia y desde Barbican."
}
],
"id": "CVE-2023-1636",
"lastModified": "2024-11-21T07:39:35.777",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.7,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-24T01:15:43.920",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-1636"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181765"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-1636"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181765"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-653"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-06 18:15
Modified
2024-11-21 06:48
Severity ?
Summary
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openstack | barbican | * | |
| redhat | openstack_platform | 13.0 | |
| redhat | openstack_platform | 16.1 | |
| redhat | openstack_platform | 16.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:barbican:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F0E48953-548A-4FDC-944E-A86EA5908E9A",
"versionEndExcluding": "14.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C52600BF-9E87-4CD2-91F3-685AFE478C1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources."
},
{
"lang": "es",
"value": "Se ha encontrado un fallo de autorizaci\u00f3n en openstack-barbican. Las reglas de pol\u00edtica por defecto para la API de metadatos secretos permit\u00edan a cualquier usuario autenticado a\u00f1adir, modificar o eliminar metadatos de cualquier secreto independientemente de su propiedad. Este fallo permite a un atacante en la red modificar o eliminar datos protegidos, causando una denegaci\u00f3n de servicio al consumir recursos protegidos.\n"
}
],
"id": "CVE-2022-23451",
"lastModified": "2024-11-21T06:48:34.943",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-06T18:15:10.640",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-23451"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Permissions Required"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022878"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025089"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://review.opendev.org/c/openstack/barbican/+/811236"
},
{
"source": "secalert@redhat.com",
"url": "https://storyboard.openstack.org/#%21/story/2009253"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-23451"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Permissions Required"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025089"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://review.opendev.org/c/openstack/barbican/+/811236"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://storyboard.openstack.org/#%21/story/2009253"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-18 17:15
Modified
2024-11-21 07:18
Severity ?
Summary
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2022-3100 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2022-3100 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openstack | barbican | - | |
| redhat | openstack | 13 | |
| redhat | openstack | 16.1 | |
| redhat | openstack | 16.2 | |
| redhat | openstack | 17 | |
| redhat | openstack_for_ibm_power | 13 | |
| redhat | openstack_for_ibm_power | 16.1 | |
| redhat | openstack_for_ibm_power | 16.2 | |
| redhat | openstack_platform | 13.0 | |
| redhat | enterprise_linux_eus | 7.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:barbican:-:*:*:*:*:*:*:*",
"matchCriteriaId": "596EFC6C-4D91-4EDF-9EC6-1C58EB485C5E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack:13:*:*:*:els:*:*:*",
"matchCriteriaId": "BC52495A-0275-4FC5-869B-7137E7FE115E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack:16.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C9D3F4FF-AD3D-4D17-93E8-84CAFCED2F59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack:16.2:-:*:*:*:*:*:*",
"matchCriteriaId": "FFE398FE-EE7C-4B64-ABB6-24697E047C85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack:17:*:*:*:*:*:*:*",
"matchCriteriaId": "BC12AF01-CCDD-4AB6-8F44-32058A63BAFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_for_ibm_power:13:*:*:*:els:*:*:*",
"matchCriteriaId": "1669C672-84CB-46D7-802A-4489749C8821",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_for_ibm_power:16.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D272E454-64F0-4BD2-9EE8-B2A48023758A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_for_ibm_power:16.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8DD273B9-4536-42E5-9F90-52408D263B22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C52600BF-9E87-4CD2-91F3-685AFE478C1E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5BF3C7A5-9117-42C7-BEA1-4AA378A582EF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una falla en el componente openstack-barbican. Este problema permite omitir la pol\u00edtica de acceso a trav\u00e9s de una cadena de consulta al acceder a la API."
}
],
"id": "CVE-2022-3100",
"lastModified": "2024-11-21T07:18:49.680",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-18T17:15:10.173",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-3100"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-3100"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-305"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-01 21:15
Modified
2024-11-21 06:48
Severity ?
Summary
An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openstack | barbican | * | |
| redhat | openstack_platform | 16.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:barbican:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F0E48953-548A-4FDC-944E-A86EA5908E9A",
"versionEndExcluding": "14.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service."
},
{
"lang": "es",
"value": "Se ha encontrado un fallo de autorizaci\u00f3n en openstack-barbican, donde cualquier persona con un rol de administrador puede a\u00f1adir secretos a un contenedor de proyecto diferente. Este fallo permite a un atacante en la red consumir recursos protegidos y causar una denegaci\u00f3n de servicio"
}
],
"id": "CVE-2022-23452",
"lastModified": "2024-11-21T06:48:35.107",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-01T21:15:09.173",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-23452"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Permissions Required",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022908"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025090"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://review.opendev.org/c/openstack/barbican/+/814200"
},
{
"source": "secalert@redhat.com",
"url": "https://storyboard.openstack.org/#%21/story/2009297"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-23452"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Permissions Required",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022908"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025090"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://review.opendev.org/c/openstack/barbican/+/814200"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://storyboard.openstack.org/#%21/story/2009297"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-24 01:15
Modified
2024-11-21 07:39
Severity ?
6.6 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2023-1633 | Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2181761 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2023-1633 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2181761 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openstack | barbican | - | |
| redhat | openstack_platform | 16.1 | |
| redhat | openstack_platform | 16.2 | |
| redhat | openstack_platform | 17.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:barbican:-:*:*:*:*:*:*:*",
"matchCriteriaId": "596EFC6C-4D91-4EDF-9EC6-1C58EB485C5E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:17.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F7076B1E-0529-43CC-828B-45C2ED11F9F6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una falla de fuga de credenciales en OpenStack Barbican. Esta falla permite que un atacante autenticado local lea el archivo de configuraci\u00f3n y obtenga acceso a credenciales sensibles."
}
],
"id": "CVE-2023-1633",
"lastModified": "2024-11-21T07:39:35.337",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 4.7,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-24T01:15:43.760",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-1633"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181761"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-1633"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181761"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}