Incorrect permission assignment for critical resource in Red Hat OpenStack

#VU70050 Incorrect permission assignment for critical resource in Red Hat OpenStack

Published: 2022-12-08

Vulnerability identifier: #VU70050

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1655

CWE-ID: CWE-732

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Red Hat OpenStack
Server applications / Other server solutions

Vendor:

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files. A remote attacker can gain unauthorized access to potential sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://access.redhat.com/security/cve/cve-2022-1655
http://bugzilla.redhat.com/show_bug.cgi?id=2075681

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Red Hat OpenStack Platform python-django-horizon