CVE-2022-3100
openstack-barbican: access policy bypass via query string injection
Severity Score
5.9
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API.
Se encontró una falla en el componente openstack-barbican. Este problema permite omitir la política de acceso a través de una cadena de consulta al acceder a la API.
Douglas Mendizabal discovered that Barbican, the OpenStack Key Management Service, incorrectly parsed requests which could allow an authenticated user to bypass Barbican access policies.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-09-02 CVE Reserved
- 2022-09-30 CVE Published
- 2024-08-03 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-305: Authentication Bypass by Primary Weakness
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2022-3100 | 2022-09-29 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2125404 | 2022-09-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Openstack Platform Search vendor "Redhat" for product "Openstack Platform" | 13.0 Search vendor "Redhat" for product "Openstack Platform" and version "13.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus" | 7.6 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "7.6" | - |
Safe
|
| Openstack Search vendor "Openstack" | Barbican Search vendor "Openstack" for product "Barbican" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 13 Search vendor "Redhat" for product "Openstack" and version "13" | els |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 16.1 Search vendor "Redhat" for product "Openstack" and version "16.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 16.2 Search vendor "Redhat" for product "Openstack" and version "16.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 17 Search vendor "Redhat" for product "Openstack" and version "17" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack For Ibm Power Search vendor "Redhat" for product "Openstack For Ibm Power" | 13 Search vendor "Redhat" for product "Openstack For Ibm Power" and version "13" | els |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack For Ibm Power Search vendor "Redhat" for product "Openstack For Ibm Power" | 16.1 Search vendor "Redhat" for product "Openstack For Ibm Power" and version "16.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack For Ibm Power Search vendor "Redhat" for product "Openstack For Ibm Power" | 16.2 Search vendor "Redhat" for product "Openstack For Ibm Power" and version "16.2" | - |
Affected
| ||||||