CVE-2018-16849
low-risk
Published 2018-11-02
A flaw was found in openstack-mistral. By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.
Do I need to act?
-
0.14% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.1/10
Low
NETWORK
/ HIGH complexity
Affected Products (1)
Openstack-Mistral
Affected Vendors
References (4)
Third Party Advisory
https://bugs.launchpad.net/mistral/+bug/1783708
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16849
Third Party Advisory
https://bugs.launchpad.net/mistral/+bug/1783708
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16849
17
/ 100
low-risk
Severity
11/34 · Low
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal