Information disclosure in Red Hat OpenStack Platform python-django-horizon
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-1655 |
| CWE-ID | CWE-732 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Red Hat OpenStack Server applications / Other server solutions python-django-horizon (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Incorrect permission assignment for critical resource
EUVDB-ID: #VU70050
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-1655
CWE-ID:
CWE-732 - Incorrect Permission Assignment for Critical Resource
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files. A remote attacker can gain unauthorized access to potential sensitive information.
Install updates from vendor's website.
Red Hat OpenStack: before 16.2.4
python-django-horizon (Red Hat package): before 16.2.3-2.20220926144724.d3d3d18.el8ost
CPE2.3- cpe:2.3:a:red_hat:red_hat_openstack:*:*:*:*:*:*:*:*
- cpe:2.3:o:red_hat:python-django-horizon_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/security/cve/cve-2022-1655
https://bugzilla.redhat.com/show_bug.cgi?id=2075681
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
