CVE-2018-16849

NameCVE-2018-16849
DescriptionA flaw was found in openstack-mistral. By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs912714

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mistral (PTS)stretch3.0.0-4+deb9u1fixed
buster, sid7.0.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mistralsource(unstable)7.0.0-2low912714
mistralsourcestretch3.0.0-4+deb9u1medium

Notes

https://bugs.launchpad.net/mistral/+bug/1783708

Search for package or bug name: Reporting problems