CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2023-1633 – Insecure barbican configuration file leaking credential
https://notcve.org/view.php?id=CVE-2023-1633
24 Sep 2023 — A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials. Se encontró una falla de fuga de credenciales en OpenStack Barbican. Esta falla permite que un atacante autenticado local lea el archivo de configuración y obtenga acceso a credenciales sensibles. An update for openstack-barbican is now available for Red Hat OpenStack Platform 16.2. • https://access.redhat.com/security/cve/CVE-2023-1633 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 6.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-1636 – Incomplete container isolation
https://notcve.org/view.php?id=CVE-2023-1636
24 Sep 2023 — A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican. Se encontró una vulnerabilidad en los contenedores OpenStack Barbican. • https://access.redhat.com/security/cve/CVE-2023-1636 • CWE-653: Improper Isolation or Compartmentalization •
CVSS: 7.1EPSS: 0%CPEs: 10EXPL: 0CVE-2022-3100 – openstack-barbican: access policy bypass via query string injection
https://notcve.org/view.php?id=CVE-2022-3100
30 Sep 2022 — A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API. Se encontró una falla en el componente openstack-barbican. Este problema permite omitir la política de acceso a través de una cadena de consulta al acceder a la API. Douglas Mendizabal discovered that Barbican, the OpenStack Key Management Service, incorrectly parsed requests which could allow an authenticated user to bypass Barbican access policies. • https://access.redhat.com/security/cve/CVE-2022-3100 • CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23452 – openstack-barbican: Barbican allows anyone with an admin role to add their secrets to a different project's containers
https://notcve.org/view.php?id=CVE-2022-23452
23 Jun 2022 — An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service. Se ha encontrado un fallo de autorización en openstack-barbican, donde cualquier persona con un rol de administrador puede añadir secretos a un contenedor de proyecto diferente. Este fallo permite a un atacante en la red consumir recursos protegidos y causar una dene... • https://access.redhat.com/security/cve/CVE-2022-23452 • CWE-863: Incorrect Authorization •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-23451 – openstack-barbican: Barbican allows authenticated users to add/modify/delete arbitrary metadata on any secret
https://notcve.org/view.php?id=CVE-2022-23451
26 Apr 2022 — An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources. Se ha encontrado un fallo de autorización en openstack-barbican. Las reglas de política por defecto para la API de metadatos secretos permitían a cualquier... • https://access.redhat.com/security/cve/CVE-2022-23451 • CWE-863: Incorrect Authorization •