CVE-2022-44020: Improper Preservation of Permissions

October 30, 2022 (updated November 7, 2023)

An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. Changing the boot device configuration with these packages removes password protection from the managed libvirt XML domain. NOTE: this only affects an “unsupported, production-like configuration.”

References

nvd.nist.gov/vuln/detail/CVE-2022-44020
review.opendev.org/c/openstack/sushy-tools/+/862625
review.opendev.org/c/openstack/virtualbmc/+/862620
storyboard.openstack.org/

Code Behaviors & Features

Detect and mitigate CVE-2022-44020 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →