CVE-2018-16848

A Denial of Service (DoS) condition is possible in OpenStack Mistral in versions up to and including 7.0.3. Submitting a specially crafted workflow definition YAML file containing nested anchors can lead to resource exhaustion culminating in a denial of service.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:N/A:P

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://bugs.launchpad.net/mistral/+bug/1785657	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1645332	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:openstack-mistral:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-06-15 15:15

Updated : 2023-12-10 13:27

NVD link : CVE-2018-16848

Mitre link : CVE-2018-16848

CVE.ORG link : CVE-2018-16848

JSON object : View

Products Affected

redhat

openstack-mistral

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2018-16848", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-06-15T15:15:09.427", "references": [{"url": "https://bugs.launchpad.net/mistral/+bug/1785657", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1645332", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "A Denial of Service (DoS) condition is possible in OpenStack Mistral in versions up to and including 7.0.3. Submitting a specially crafted workflow definition YAML file containing nested anchors can lead to resource exhaustion culminating in a denial of service."}, {"lang": "es", "value": "Una condici\u00f3n de Denegaci\u00f3n de Servicio (DoS) es posible en OpenStack Mistral en versiones hasta 7.0.3 incluy\u00e9ndola. Enviar un archivo YAML de definici\u00f3n de flujo de trabajo especialmente dise\u00f1ado que contenga anclas anidadas puede conllevar a un agotamiento de recursos que culmina en una denegaci\u00f3n de servicio"}], "lastModified": "2020-06-17T16:49:42.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack-mistral:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F7516DE-05C5-4861-8644-731550B9623B", "versionEndIncluding": "7.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}