CVE-2018-16849

NameCVE-2018-16849
DescriptionA flaw was found in openstack-mistral. By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs912714

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mistral (PTS)buster7.0.0-2fixed
bullseye11.0.0-2fixed
bookworm15.0.0-1fixed
sid, trixie17.0.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mistralsourcestretch3.0.0-4+deb9u1
mistralsource(unstable)7.0.0-2low912714

Notes

https://bugs.launchpad.net/mistral/+bug/1783708

Search for package or bug name: Reporting problems