{"api_version":"1","generated_at":"2026-04-23T06:20:33+00:00","cve":"CVE-2022-23451","urls":{"html":"https://cve.report/CVE-2022-23451","api":"https://cve.report/api/cve/CVE-2022-23451.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-23451","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-23451"},"summary":{"title":"CVE-2022-23451","description":"An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2022-09-06 18:15:00","updated_at":"2023-02-12 22:15:00"},"problem_types":["CWE-863"],"metrics":[],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2022-23451","name":"https://access.redhat.com/security/cve/CVE-2022-23451","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://storyboard.openstack.org/#!/story/2009253","name":"https://storyboard.openstack.org/#!/story/2009253","refsource":"MISC","tags":[],"title":"StoryBoard","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://review.opendev.org/c/openstack/barbican/+/811236","name":"https://review.opendev.org/c/openstack/barbican/+/811236","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://access.redhat.com/errata/RHSA-2022:5114","name":"https://access.redhat.com/errata/RHSA-2022:5114","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2022878","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2022878","refsource":"MISC","tags":[],"title":"Bug Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://storyboard.openstack.org/#%21/story/2009253","name":"https://storyboard.openstack.org/#%21/story/2009253","refsource":"MISC","tags":[],"title":"StoryBoard","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2025089","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2025089","refsource":"MISC","tags":[],"title":"2025089 – (CVE-2022-23451) CVE-2022-23451 openstack-barbican: Barbican allows authenticated users to add/modify/delete arbitrary metadata on any secret","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://access.redhat.com/errata/RHSA-2022:8874","name":"https://access.redhat.com/errata/RHSA-2022:8874","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-23451","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23451","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"23451","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openstack","cpe5":"barbican","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23451","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack_platform","cpe6":"13.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23451","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack_platform","cpe6":"16.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23451","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack_platform","cpe6":"16.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-23451","qid":"182801","title":"Debian Security Update for barbican (CVE-2022-23451)"},{"cve":"CVE-2022-23451","qid":"198750","title":"Ubuntu Security Notification for Barbican Vulnerabilities (USN-5387-1)"},{"cve":"CVE-2022-23451","qid":"240486","title":"Red Hat Update for OpenStack Platform 16.2 (RHSA-2022:5114)"},{"cve":"CVE-2022-23451","qid":"240985","title":"Red Hat Update for OpenStack Platform 16.1.9 (RHSA-2022:8874)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-23451","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-863 - Incorrect Authorization.","cweId":"CWE-863"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"openstack/barbican","version":{"version_data":[{"version_affected":"=","version_value":"Fixed in v14.0.0"}]}}]}}]}},"references":{"reference_data":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2025089","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2025089"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2022878","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2022878"},{"url":"https://review.opendev.org/c/openstack/barbican/+/811236","refsource":"MISC","name":"https://review.opendev.org/c/openstack/barbican/+/811236"},{"url":"https://access.redhat.com/security/cve/CVE-2022-23451","refsource":"MISC","name":"https://access.redhat.com/security/cve/CVE-2022-23451"},{"url":"https://storyboard.openstack.org/#%21/story/2009253","refsource":"MISC","name":"https://storyboard.openstack.org/#%21/story/2009253"}]}},"nvd":{"publishedDate":"2022-09-06 18:15:00","lastModifiedDate":"2023-02-12 22:15:00","problem_types":["CWE-863"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openstack:barbican:*:*:*:*:*:*:*:*","versionEndExcluding":"14.0.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"23451","Ordinal":"226283","Title":"CVE-2022-23451","CVE":"CVE-2022-23451","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"23451","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}