CVE-2022-44020

2022-10-3000:15:10

CWE-281

[email protected]

web.nvd.nist.gov

openstack

sushy-tools

virtualbmc

configuration

password protection

libvirt xml

security issue

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

17.8%

JSON

An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. Changing the boot device configuration with these packages removes password protection from the managed libvirt XML domain. NOTE: this only affects an “unsupported, production-like configuration.”

Affected configurations

Nvd

Node

opendevsushy-toolsRange<0.21.1openstack

opendevvirtualbmcRange<3.0.0openstack

Node

fedoraprojectfedoraMatch35

fedoraprojectfedoraMatch36

fedoraprojectfedoraMatch37

VendorProductVersionCPE
opendevsushy-tools*cpe:2.3:a:opendev:sushy-tools:*:*:*:*:*:openstack:*:*
opendevvirtualbmc*cpe:2.3:a:opendev:virtualbmc:*:*:*:*:*:openstack:*:*
fedoraprojectfedora35cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
fedoraprojectfedora36cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
fedoraprojectfedora37cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
opendev	sushy-tools	*	cpe:2.3:a:opendev:sushy-tools::::::openstack::*
opendev	virtualbmc	*	cpe:2.3:a:opendev:virtualbmc::::::openstack::*
fedoraproject	fedora	35	cpe:2.3:o:fedoraproject:fedora:35:::::::*
fedoraproject	fedora	36	cpe:2.3:o:fedoraproject:fedora:36:::::::*
fedoraproject	fedora	37	cpe:2.3:o:fedoraproject:fedora:37:::::::*