CVE Vulnerability

CVE-2022-44020

An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. Changing the boot device configuration with these packages removes password protection from the managed libvirt XML domain. NOTE: this only affects an "unsupported, production-like configuration."

5.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://storyboard.openstack.org/#!/story/2010382 Patch Vendor Advisory
https://review.opendev.org/c/openstack/virtualbmc/+/862620 Patch Vendor Advisory
https://review.opendev.org/c/openstack/sushy-tools/+/862625 Patch Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GAD7QJIUWPCKJIGYP7PPHH5DILOEONFE/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMSUGS4B6EBRHBJMTRXL5RIKJTZTEMJC/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEQVJF3OQGSDCSQTQQSC54JEGLMSNB4Q/ Mailing List Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:opendev:sushy-tools:*:*:*:*:*:openstack:*:*
cpe:2.3:a:opendev:virtualbmc:*:*:*:*:*:openstack:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Information

Published : 2022-10-30 12:15

Updated : 2023-02-09 01:33

NVD link : CVE-2022-44020

Mitre link : CVE-2022-44020

Products Affected
No products.
CWE
CWE-281

Improper Preservation of Permissions