Description
A flaw was found in openstack-mistral. By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://bugs.launchpad.net/mistral/+bug/1783708
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16849
Scores
CVSS v3
3.1
EPSS
0.0013
EPSS Percentile
32.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (2)
pypi/mistral
0 - 7.0.1PyPI
redhat/openstack-mistral
< 7.0.1
Published
Nov 02, 2018
Tracked Since
Feb 18, 2026