Published: 02/11/2018 Updated: 09/10/2019

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

A flaw was found in openstack-mistral. By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.

Vulnerable Product	Search on Vulmon	Subscribe to Product
redhat openstack-mistral

Debian Bug report logs - #912714 mistral: CVE-2018-16849: stdssh action may disclose presence of arbitrary files Package: src:mistral; Maintainer for src:mistral is Debian OpenStack <team+openstack@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 3 Nov 2018 07:33:02 UTC Severity ...

An information disclosure is possible by manipulating the SSH private key filename of a stdssh action in OpenStack Mistral before 701 Using this flaw, it is possible to determine the presence of a file path on the host executing the stdssh action based on the returned error message ...

CWE-200 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16849 https://bugs.launchpad.net/mistral/+bug/1783708 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912714 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2018-16849

CVE-2018-16849

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect