CVE-2022-1655

NameCVE-2022-1655
DescriptionAn Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of confidentiality and integrity.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
horizon (PTS)jessie, jessie (lts)2014.1.3-7+deb8u2vulnerable
stretch3:10.0.1-1fixed
buster (security), buster, buster (lts)3:14.0.2-3+deb10u3fixed
bullseye3:18.6.2-5+deb11u2fixed
bookworm3:23.0.0-5+deb12u1fixed
sid, trixie3:25.1.0-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
horizonsourcejessie(unfixed)end-of-life
horizonsource(unstable)(not affected)

Notes

- horizon <not-affected> (Red Hat-specific packaging issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2075681
Seems to be specific to the way Red Hat distributes Horizon, the Debian
package defaults to SESSION_COOKIE_HTTPONLY = True

Search for package or bug name: Reporting problems