CVE-2022-23451
HIGHopenstack-barbican < 14.0.0 - Authenticated Incorrect Authorization in Secret Metadata API
Title source: llmDescription
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.
References (5)
Core 5
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=2025089
Issue Tracking, Permissions Required x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=2022878
Various Sources x_refsource_misc
https://storyboard.openstack.org/#%21/story/2009253
Patch, Third Party Advisory x_refsource_misc
https://review.opendev.org/c/openstack/barbican/+/811236
Issue Tracking, Third Party Advisory x_refsource_misc
https://access.redhat.com/security/cve/CVE-2022-23451
Scores
CVSS v3
8.1
EPSS
0.0034
EPSS Percentile
56.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-863
Status
published
Products (5)
openstack/barbican
< 14.0.0
pypi/barbican
0 - 14.0.0PyPI
redhat/openstack_platform
13.0
redhat/openstack_platform
16.1
redhat/openstack_platform
16.2
Published
Sep 06, 2022
Tracked Since
Feb 18, 2026