CVE-2018-16849

NameCVE-2018-16849
DescriptionA flaw was found in openstack-mistral. By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs912714

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mistral (PTS)stretch3.0.0-4vulnerable
buster, sid7.0.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mistralsource(unstable)7.0.0-2low912714

Notes

[stretch] - mistral <no-dsa> (Minor issue)
https://bugs.launchpad.net/mistral/+bug/1783708

Search for package or bug name: Reporting problems