CVE-2022-44020: 
Python vulnerability analysis and mitigation

An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2, identified as CVE-2022-44020. The vulnerability manifests when changing the boot device configuration with these packages, which removes password protection from the managed libvirt XML domain. This vulnerability specifically affects an 'unsupported, production-like configuration.' The issue was discovered and disclosed in October 2022 (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The vulnerability is classified under CWE-281 (Improper Preservation of Permissions) and affects the security of the libvirt XML domain configuration (NVD).

When exploited, this vulnerability compromises the password protection mechanism of the managed libvirt XML domain. This could potentially expose the system to unauthorized access or modifications of the virtual machine configurations (NVD).

The vulnerability has been patched in VirtualBMC version 3.0.0. Users are advised to upgrade to this version or later. The fix has been implemented across multiple distributions, including Fedora 35, 36, and 37 (Fedora 36 Update, Fedora 37 Update).