Miggo Logo
Miggo Vulnerability Database
CVE-2022-23451

CVE-2022-23451: Barbican authorization flaw before v14.0.0

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-23451
GHSA ID
GHSA-p2jg-q8hw-p7gc
EPSS Score
0.24286%
CWE
CWE-863
Published
9/7/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
barbicanpip< 14.0.014.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from: 1) Controller classes inheriting from ACLMixin instead of SecretACLMixin, missing project_id/creator_id checks 2) Overly permissive policy rules in secretmeta.py that didn't validate secret ownership. The patch added SecretACLMixin with project validation and tightened policy rules to require secret_project_creator/admin checks. The vulnerable functions handled metadata operations while using the legacy authorization mixin and permissive policies.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *ut*oriz*tion *l*w w*s *oun* in op*nst**k-**r*i**n. T** ****ult poli*y rul*s *or t** s**r*t m*t***t* *PI *llow** *ny *ut**nti**t** us*r to ***, mo*i*y, or **l*t* m*t***t* *rom *ny s**r*t r***r*l*ss o* own*rs*ip. T*is *l*w *llows *n *tt**k*r on t**

Reasoning

T** vuln*r**ility st*mm** *rom: *) *ontroll*r *l*ss*s in**ritin* *rom **LMixin inst*** o* S**r*t**LMixin, missin* proj**t_i*/*r**tor_i* ****ks *) Ov*rly p*rmissiv* poli*y rul*s in s**r*tm*t*.py t**t *i*n't v*li**t* s**r*t own*rs*ip. T** p*t** ***** S