{"containers": {"cna": {"affected": [{"product": "OpenStack", "vendor": "n/a", "versions": [{"status": "affected", "version": "OpenStack 16.2"}]}], "descriptions": [{"lang": "en", "value": "An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of confidentiality and integrity."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-22T14:54:02", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://access.redhat.com/security/cve/cve-2022-1655"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2022-1655", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OpenStack", "version": {"version_data": [{"version_value": "OpenStack 16.2"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of confidentiality and integrity."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-732"}]}]}, "references": {"reference_data": [{"name": "https://access.redhat.com/security/cve/cve-2022-1655", "refsource": "MISC", "url": "https://access.redhat.com/security/cve/cve-2022-1655"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:10:03.818Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://access.redhat.com/security/cve/cve-2022-1655"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-1655", "datePublished": "2022-07-22T14:54:02", "dateReserved": "2022-05-10T00:00:00", "dateUpdated": "2024-08-03T00:10:03.818Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack:16.2:*:*:*:*:*:*:*", "matchCriteriaId": "307846C3-F2B3-4E0D-AA31-BCC1444589F8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of confidentiality and integrity."}, {"lang": "es", "value": "Se ha encontrado un fallo de Asignaci\u00f3n Incorrecta de Permisos para Recursos Cr\u00edticos en Horizon en Red Hat OpenStack. Las cookies de sesi\u00f3n de Horizon son creadas sin el flag HttpOnly a pesar de que HorizonSecureCookies est\u00e1 configurado como true en los archivos de entorno, conllevando posiblemente a una p\u00e9rdida de confidencialidad e integridad"}], "id": "CVE-2022-1655", "lastModified": "2024-11-21T06:41:11.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-22T15:15:08.057", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/cve-2022-1655"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/cve-2022-1655"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Riccardo Bruzzone (Red Hat).", "affected_release": [{"advisory": "RHSA-2022:8856", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "python-django-horizon-1:16.2.3-2.20220926144724.d3d3d18.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2022-12-07T00:00:00Z"}], "bugzilla": {"description": "OpenStack: Horizon session cookies are not flagged HttpOnly", "id": "2075681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2075681"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-732", "details": ["An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of confidentiality and integrity.", "An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of confidentiality and integrity."], "name": "CVE-2022-1655", "public_date": "2022-04-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-1655\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1655"], "threat_severity": "Low", "upstream_fix": "OpenStack 16.2"}