CVE-2021-4472

NameCVE-2021-4472
DescriptionThe mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4391-1, DLA-4392-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mistral-dashboard (PTS)bullseye11.0.0-2vulnerable
bullseye (security)11.0.0-2+deb11u1fixed
bookworm15.0.0-2fixed
trixie20.0.0-1fixed
forky, sid21.0.0-1fixed
python-mistralclient (PTS)bullseye1:4.1.1-2vulnerable
bullseye (security)1:4.1.1-2+deb11u1fixed
bookworm1:4.5.0-2fixed
trixie1:5.4.0-2fixed
forky, sid1:6.0.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mistral-dashboardsourcebullseye11.0.0-2+deb11u1DLA-4392-1
mistral-dashboardsource(unstable)15.0.0~rc1-1
python-mistralclientsourcebullseye1:4.1.1-2+deb11u1DLA-4391-1
python-mistralclientsource(unstable)1:4.3.0-2

Notes

https://review.opendev.org/c/openstack/mistral-dashboard/+/800952
Fixed by: https://opendev.org/openstack/mistral-dashboard/commit/8b876b0b22b365f24af1eb9eae01ad3d22cc1533 (15.0.0.0rc1)
Fixed by: https://opendev.org/openstack/mistral-dashboard/commit/c077728bfa6001f0cb1ac22b0bacd74eb1967b04 (14.0.1)
https://review.opendev.org/c/openstack/python-mistralclient/+/800950
Fixed by: https://opendev.org/openstack/python-mistralclient/commit/ab54cb9ae576c2b29c7cd9a9628f3908aaa3e0ee (4.3.0)
Search for package or bug name: Reporting problems