CVE-2018-16856

In a default Red Hat Openstack Platform Director installation, openstack-octavia before versions openstack-octavia 2.0.2-5 and openstack-octavia-3.0.1-0.20181009115732 creates log files that are readable by all users. Sensitive information such as private keys can appear in these log files allowing for information exposure.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16856	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openstack:octavia::::::::
	cpe:2.3:a:openstack:octavia::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:redhat:openstack:12:::::::*
	cpe:2.3:a:redhat:openstack:13:::::::*
	cpe:2.3:a:redhat:openstack:14:::::::*

History

04 Aug 2021, 17:15

Type	Values Removed	Values Added
CPE	cpe:2.3:a:redhat:openstack:12.0:::::::* cpe:2.3:a:redhat:openstack:14.0:::::::* cpe:2.3:a:redhat:openstack:13.0:::::::*	cpe:2.3:a:redhat:openstack:13:::::::* cpe:2.3:a:redhat:openstack:12:::::::* cpe:2.3:a:redhat:openstack:14:::::::*

Information

Published : 2019-03-26 18:29

Updated : 2023-12-10 12:59

NVD link : CVE-2018-16856

Mitre link : CVE-2018-16856

CVE.ORG link : CVE-2018-16856

JSON object : View

Products Affected

openstack

octavia

redhat

openstack

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2018-16856", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2019-03-26T18:29:00.357", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16856", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "In a default Red Hat Openstack Platform Director installation, openstack-octavia before versions openstack-octavia 2.0.2-5 and openstack-octavia-3.0.1-0.20181009115732 creates log files that are readable by all users. Sensitive information such as private keys can appear in these log files allowing for information exposure."}, {"lang": "es", "value": "En una instalaci\u00f3n de Red Hat Openstack Platform Director por defecto, openstack-octavia en versiones anteriores a la 2.0.2-5 y openstack-octavia-3.0.1-0.20181009115732 crean archivos de registro que pueden ser le\u00eddos por todos los usuarios. La informaci\u00f3n sensible, como las claves privadas, puede aparecer en estos archivos, lo que permite la exposici\u00f3n de informaci\u00f3n."}], "lastModified": "2021-08-04T17:15:13.067", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openstack:octavia:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F18AB12-4884-4669-9046-39464A7AAC16", "versionEndExcluding": "2.0.2-5", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:openstack:octavia:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8D54E3C-4629-4B5A-B361-41EE65E19CB5", "versionEndExcluding": "3.0.1-0.20181009115732", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D4AC996-B340-4A14-86F7-FF83B4D5EC8F"}, {"criteria": "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "704CFA1A-953E-4105-BFBE-406034B83DED"}, {"criteria": "cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB7F358B-5E56-41AB-BB8A-23D3CB7A248B"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}