CVE-2022-23452: openstack-barbican Denial of Service vulnerability
4.9
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.21519%
CWE
Published
9/2/2022
Updated
5/14/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
barbican | pip | < 14.0.0 | 14.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper authorization checks when associating secrets with containers. The ContainersController.post
method is the logical entry point for adding secrets to containers. In OpenStack services, authorization flaws often occur in API endpoint handlers where policy enforcement is missing or misconfigured. The CWE-863 classification and the description of 'admin role bypassing project boundaries' strongly suggest the vulnerability exists in the container secret association logic, which would be handled by this controller method. The high confidence comes from the direct mapping between the described vulnerability and the controller's responsibility for managing container-secret relationships.