Name | CVE-2022-1655 |
Description | An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of confidentiality and integrity. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
horizon (PTS) | jessie, jessie (lts) | 2014.1.3-7+deb8u2 | vulnerable |
| stretch | 3:10.0.1-1 | fixed |
| buster (security), buster, buster (lts) | 3:14.0.2-3+deb10u3 | fixed |
| bullseye | 3:18.6.2-5+deb11u2 | fixed |
| bookworm | 3:23.0.0-5+deb12u1 | fixed |
| sid, trixie | 3:25.1.0-4 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|
horizon | source | jessie | (unfixed) | end-of-life | | |
horizon | source | (unstable) | (not affected) | | | |
Notes
- horizon <not-affected> (Red Hat-specific packaging issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2075681
Seems to be specific to the way Red Hat distributes Horizon, the Debian
package defaults to SESSION_COOKIE_HTTPONLY = True