CVE-2022-44020

An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. Changing the boot device configuration with these packages removes password protection from the managed libvirt XML domain. NOTE: this only affects an "unsupported, production-like configuration."

CVSS v3.0 5.5 MEDIUM

5.5^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GAD7QJIUWPCKJIGYP7PPHH5DILOEONFE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GAD7QJIUWPCKJIGYP7PPHH5DILOEONFE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEQVJF3OQGSDCSQTQQSC54JEGLMSNB4Q/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEQVJF3OQGSDCSQTQQSC54JEGLMSNB4Q/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMSUGS4B6EBRHBJMTRXL5RIKJTZTEMJC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMSUGS4B6EBRHBJMTRXL5RIKJTZTEMJC/
https://review.opendev.org/c/openstack/sushy-tools/+/862625	Patch Vendor Advisory
https://review.opendev.org/c/openstack/sushy-tools/+/862625	Patch Vendor Advisory
https://review.opendev.org/c/openstack/virtualbmc/+/862620	Patch Vendor Advisory
https://review.opendev.org/c/openstack/virtualbmc/+/862620	Patch Vendor Advisory
https://storyboard.openstack.org/#%21/story/2010382
https://storyboard.openstack.org/#%21/story/2010382

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:opendev:sushy-tools::::::openstack::*
	cpe:2.3:a:opendev:virtualbmc::::::openstack::*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

History

07 May 2025, 14:15

Type	Values Removed	Values Added
References	~~(MISC) https://review.opendev.org/c/openstack/sushy-tools/+/862625 - Patch, Vendor Advisory~~	() https://review.opendev.org/c/openstack/sushy-tools/+/862625 - Patch, Vendor Advisory
References	~~(MISC) https://review.opendev.org/c/openstack/virtualbmc/+/862620 - Patch, Vendor Advisory~~	() https://review.opendev.org/c/openstack/virtualbmc/+/862620 - Patch, Vendor Advisory

07 Nov 2023, 03:54

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEQVJF3OQGSDCSQTQQSC54JEGLMSNB4Q/', 'name': 'FEDORA-2022-471e14677d', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GAD7QJIUWPCKJIGYP7PPHH5DILOEONFE/', 'name': 'FEDORA-2022-72b8efd577', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMSUGS4B6EBRHBJMTRXL5RIKJTZTEMJC/', 'name': 'FEDORA-2022-42723b43fe', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} ~~{'url': 'https://storyboard.openstack.org/#!/story/2010382', 'name': 'https://storyboard.openstack.org/#!/story/2010382', 'tags': ['Patch', 'Vendor Advisory'], 'refsource': 'MISC'}~~	() https://storyboard.openstack.org/#%21/story/2010382 - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMSUGS4B6EBRHBJMTRXL5RIKJTZTEMJC/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GAD7QJIUWPCKJIGYP7PPHH5DILOEONFE/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEQVJF3OQGSDCSQTQQSC54JEGLMSNB4Q/ -

Information

Published : 2022-10-30 00:15

Updated : 2025-05-07 14:15

NVD link : CVE-2022-44020

Mitre link : CVE-2022-44020

JSON object : View

Products Affected

opendev

virtualbmc
sushy-tools

fedoraproject

fedora

CWE

CWE-281

Improper Preservation of Permissions

5.5 /10