CVE-2022-38065
Published: 21 December 2022
A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.
Notes
| Author | Note |
|---|---|
| mdeslaur | Upstream doesn't consider this a security issue, but as a hardening improvement as it works as documented. There are no plans to fix this in stable releases. See discussion in upstream bug report. We will not be fixing this issue in our stable releases either, so marking as ignored. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openstack Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
|
|
|
python-oslo.privsep Launchpad, Ubuntu, Debian |
bionic |
Ignored
|
| focal |
Ignored
|
|
| jammy |
Ignored
|
|
| kinetic |
Ignored
|
|
| lunar |
Ignored
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |