Bug 2181621 (CVE-2023-1625) - CVE-2023-1625 openstack-heat: information leak in API
Summary: CVE-2023-1625 openstack-heat: information leak in API
Keywords:
Status: NEW
Alias: CVE-2023-1625
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2181623 2181642 2181643 2181644
Blocks: 2170315
TreeView+ depends on / blocked
 
Reported: 2023-03-24 19:33 UTC by Nick Tait
Modified: 2023-09-23 18:56 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Nick Tait 2023-03-24 19:33:35 UTC
An information leak was discovered in openstack heat.
https://review.opendev.org/c/openstack/heat/+/868166
https://github.com/openstack/heat/commit/a49526c278e52823080c7f3fcb72785b93fd4dcb

The get stack environment API doesn't mask hidden parameter values. A malicious system user can get sensitive data by this API even though
encrypt_parameters_and_properties option is set to true. All VMs deployed by this heat template may be compromised.

Comment 1 Nick Tait 2023-03-24 19:33:49 UTC
Created openstack-heat tracking bugs for this issue:

Affects: openstack-rdo [bug 2181623]


Note You need to log in before you can comment on or make changes to this bug.