CVE-2023-1636

A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2023-1636	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2181765	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openstack:barbican:-:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:redhat:openstack_platform:16.1:::::::*
	cpe:2.3:a:redhat:openstack_platform:16.2:::::::*
	cpe:2.3:a:redhat:openstack_platform:17.0:::::::*

History

26 Sep 2023, 17:57

Type	Values Removed	Values Added
CPE		cpe:2.3:a:redhat:openstack_platform:16.2:::::::* cpe:2.3:a:redhat:openstack_platform:17.0:::::::* cpe:2.3:a:redhat:openstack_platform:16.1:::::::* cpe:2.3:a:openstack:barbican:-:::::::*
References	~~(MISC) https://access.redhat.com/security/cve/CVE-2023-1636 -~~	(MISC) https://access.redhat.com/security/cve/CVE-2023-1636 - Third Party Advisory
References	~~(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2181765 -~~	(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2181765 - Issue Tracking, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.0
CWE		NVD-CWE-noinfo
First Time		Openstack Redhat openstack Platform Openstack barbican Redhat

24 Sep 2023, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-24 01:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-1636

Mitre link : CVE-2023-1636

CVE.ORG link : CVE-2023-1636

JSON object : View

Products Affected

openstack

barbican

redhat

openstack_platform

CWE

NVD-CWE-noinfo CWE-653

Insufficient Compartmentalization

{"id": "CVE-2023-1636", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}, {"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 1.8}]}, "published": "2023-09-24T01:15:43.920", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1636", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181765", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-653"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en los contenedores OpenStack Barbican. Esta vulnerabilidad solo se aplica a implementaciones que utilizan una configuraci\u00f3n todo en uno. Los contenedores Barbican comparten el mismo espacio de nombres CGROUP, USER y NET con el sistema host y otros servicios OpenStack. Si alg\u00fan servicio se ve comprometido, podr\u00eda obtener acceso a los datos transmitidos hacia y desde Barbican."}], "lastModified": "2023-11-07T04:04:25.993", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openstack:barbican:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "596EFC6C-4D91-4EDF-9EC6-1C58EB485C5E"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73"}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8"}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:17.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7076B1E-0529-43CC-828B-45C2ED11F9F6"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}