Workflow

PyPi: Mistral

CVE-2018-16849

Safety vulnerability ID: 36611

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Nov 02, 2018 Updated at Dec 03, 2024
Scan your Python projects for vulnerabilities →

Advisory

Mistral 7.0.1 includes a fix for CVE-2018-16849: By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.

Affected package

mistral

Latest version: 2015.1.0

Mistral Project

Affected versions

Fixed versions

Vulnerability changelog

A flaw was found in openstack-mistral. By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.


CONFIRM:https://bugs.launchpad.net/mistral/+bug/1783708: https://bugs.launchpad.net/mistral/+bug/1783708
CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16849: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16849

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
NONE
Availability Availability (A)
NONE

CVSS v2 Details

MEDIUM 5.0
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
PARTIAL
Integrity Impact (I)
NONE
Availability Impact (A)
NONE