Openstack
CVE-2022-1655
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of confidentiality and integrity.
AnalysisAI
An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Incorrect Permission Assignment (CWE-732), which allows attackers to access resources due to misconfigured permissions. An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of confidentiality and integrity. Affected products include: Redhat Openstack.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and restrict file/resource permissions, apply principle of least privilege.
Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.2
Eval injection vulnerability in the create method in the Bookmarks controller in Foreman before 1.2.0-RC2 allows remote
The create method in app/controllers/users_controller.rb in Foreman before 1.2.0-RC2 allows remote authenticated users w
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addres
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4
Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remot
A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and pri
Integer overflow in the getnum function in lua_struct.c in Redis 2.8.x before 2.8.24 and 3.0.x before 3.0.6 allows conte
The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows
Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today