CVSS: 7.1EPSS: 0%CPEs: 10EXPL: 0CVE-2022-3100 – openstack-barbican: access policy bypass via query string injection
https://notcve.org/view.php?id=CVE-2022-3100
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API. Se encontró una falla en el componente openstack-barbican. Este problema permite omitir la política de acceso a través de una cadena de consulta al acceder a la API. • https://access.redhat.com/security/cve/CVE-2022-3100 https://bugzilla.redhat.com/show_bug.cgi?id=2125404 • CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 6.6EPSS: 0%CPEs: 7EXPL: 1CVE-2022-2447
https://notcve.org/view.php?id=CVE-2022-2447
A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected. Se ha encontrado un fallo en Keystone. Hay un desfase (de hasta una hora en una configuración por defecto) entre el momento en que la política de seguridad dice que un token debe ser revocado y el momento en que realmente lo es. • https://access.redhat.com/security/cve/CVE-2022-2447 https://bugzilla.redhat.com/show_bug.cgi?id=2105419 • CWE-324: Use of a Key Past its Expiration Date CWE-672: Operation on a Resource after Expiration or Release •
CVSS: 7.4EPSS: 2%CPEs: 7EXPL: 3CVE-2021-3563
https://notcve.org/view.php?id=CVE-2021-3563
A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity. Se ha encontrado un fallo en openstack-keystone. Sólo son verificados los primeros 72 caracteres del secreto de una aplicación, lo que permite a atacantes omitir determinada complejidad de las contraseñas con la que pueden contar los administradores. • https://access.redhat.com/security/cve/CVE-2021-3563 https://bugs.launchpad.net/ossa/+bug/1901891 https://bugzilla.redhat.com/show_bug.cgi?id=1962908 https://lists.debian.org/debian-lts-announce/2024/01/msg00007.html https://security-tracker.debian.org/tracker/CVE-2021-3563 • CWE-863: Incorrect Authorization •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23452 – openstack-barbican: Barbican allows anyone with an admin role to add their secrets to a different project's containers
https://notcve.org/view.php?id=CVE-2022-23452
An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service. Se ha encontrado un fallo de autorización en openstack-barbican, donde cualquier persona con un rol de administrador puede añadir secretos a un contenedor de proyecto diferente. Este fallo permite a un atacante en la red consumir recursos protegidos y causar una denegación de servicio • https://access.redhat.com/security/cve/CVE-2022-23452 https://bugzilla.redhat.com/show_bug.cgi?id=2022908 https://bugzilla.redhat.com/show_bug.cgi?id=2025090 https://review.opendev.org/c/openstack/barbican/+/814200 https://storyboard.openstack.org/#%21/story/2009297 • CWE-863: Incorrect Authorization •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2022-23451 – openstack-barbican: Barbican allows authenticated users to add/modify/delete arbitrary metadata on any secret
https://notcve.org/view.php?id=CVE-2022-23451
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources. Se ha encontrado un fallo de autorización en openstack-barbican. Las reglas de política por defecto para la API de metadatos secretos permitían a cualquier usuario autenticado añadir, modificar o eliminar metadatos de cualquier secreto independientemente de su propiedad. • https://access.redhat.com/security/cve/CVE-2022-23451 https://bugzilla.redhat.com/show_bug.cgi?id=2022878 https://bugzilla.redhat.com/show_bug.cgi?id=2025089 https://review.opendev.org/c/openstack/barbican/+/811236 https://storyboard.openstack.org/#%21/story/2009253 • CWE-863: Incorrect Authorization •