CVE-2022-23451 – barbican

Package

Manager: pip
Name: barbican
Vulnerable Version: >=0 <14.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00103 pctl0.28896

Details

Barbican authorization flaw before v14.0.0 An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.

Metadata

Created: 2022-09-07T00:01:53Z
Modified: 2022-09-15T03:22:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-p2jg-q8hw-p7gc/GHSA-p2jg-q8hw-p7gc.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-p2jg-q8hw-p7gc
Finding: F006
Auto approve: 1