Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-16849

Опубликовано: 02 нояб. 2018
Источник: redhat
CVSS3: 4.3
EPSS Низкий

Описание

A flaw was found in openstack-mistral. By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.

An information-disclosure flaw was discovered in openstack-mistral, where the SSH private key filename of a std.ssh action could be manipulated. The flaw could be exploited to determine the presence of a file path on the host executing the std.ssh action, based on the returned error message.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenStack Platform 14 (Rocky)openstack-mistralOut of support scope
Red Hat OpenStack Platform 15 (Stein)openstack-mistralAffected
Red Hat OpenStack Platform 13.0 (Queens)instack-undercloudFixedRHBA-2019:044814.03.2019
Red Hat OpenStack Platform 13.0 (Queens)openstack-mistralFixedRHBA-2019:044814.03.2019
Red Hat OpenStack Platform 13.0 (Queens)openstack-tripleo-commonFixedRHBA-2019:044814.03.2019
Red Hat OpenStack Platform 13.0 (Queens)openstack-tripleo-heat-templatesFixedRHBA-2019:044814.03.2019
Red Hat OpenStack Platform 13.0 (Queens)openstack-tripleo-image-elementsFixedRHBA-2019:044814.03.2019
Red Hat OpenStack Platform 13.0 (Queens)openstack-tripleo-puppet-elementsFixedRHBA-2019:044814.03.2019
Red Hat OpenStack Platform 13.0 (Queens)openstack-tripleo-uiFixedRHBA-2019:044814.03.2019
Red Hat OpenStack Platform 13.0 (Queens)openstack-tripleo-validationsFixedRHBA-2019:044814.03.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1645334openstack-mistral: std.ssh action may disclose presence of arbitrary files

EPSS

Процентиль: 35%
0.0014
Низкий

4.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-16849

CVSS3: 3.1
ubuntu
больше 7 лет назад

A flaw was found in openstack-mistral. By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.

nvd логотип

CVE-2018-16849

CVSS3: 3.1
nvd
больше 7 лет назад

A flaw was found in openstack-mistral. By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.

debian логотип

CVE-2018-16849

CVSS3: 3.1
debian
больше 7 лет назад

A flaw was found in openstack-mistral. By manipulating the SSH private ...

github логотип

GHSA-fqw7-c6vr-q29m

CVSS3: 7.5
github
больше 3 лет назад

openstack-mistral Discloses the presence of arbitrary files within the filesystem

EPSS

Процентиль: 35%
0.0014
Низкий

4.3 Medium

CVSS3