{
  "threat_severity" : "Moderate",
  "public_date" : "2023-01-27T00:00:00Z",
  "bugzilla" : {
    "description" : "openstack-heat: information leak in API",
    "id" : "2181621",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2181621"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-202",
  "details" : [ "An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system.", "An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system." ],
  "statement" : "While this flaw leaks a password which could reduce confidentiality, integrity, and availability, the impact to this triad is rated low. This is because OpenStack can not be more broadly compromised for two reasons:\na) The host has separate authorization authority from the guest virtual machine\nb) The guest virtual machines that are configured by different stack configurations cannot be compromised\nTherefore the overall impact of the flaw is rated Moderate.",
  "acknowledgement" : "Red Hat would like to thank Chengen Du (Canonical) for reporting this issue.",
  "package_state" : [ {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Out of support scope",
    "package_name" : "openstack-heat",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "fix_state" : "Will not fix",
    "package_name" : "openstack-heat",
    "cpe" : "cpe:/a:redhat:openstack:16.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Will not fix",
    "package_name" : "openstack-heat",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat OpenStack Platform 17.0",
    "fix_state" : "Fix deferred",
    "package_name" : "openstack-heat",
    "cpe" : "cpe:/a:redhat:openstack:17.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-1625\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-1625\nhttps://github.com/openstack/heat/commit/a49526c278e52823080c7f3fcb72785b93fd4dcb\nhttps://launchpad.net/bugs/1999665" ],
  "name" : "CVE-2023-1625",
  "csaw" : false
}