{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-31T04:06:26Z",
  "bugzilla" : {
    "description" : "openstack-heat: Incomplete fix for CVE-2023-1625",
    "id" : "2258810",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2258810"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-200",
  "details" : [ "An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied.", "An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied." ],
  "statement" : "While this flaw leaks a password, which could reduce confidentiality, integrity, and availability, the impact to this triad is rated Low. This is because OpenStack can not be more broadly compromised for two reasons:\na) The host has separate authorization authority from the guest virtual machine\nb) The guest virtual machines that are configured by different stack configurations cannot be compromised\nTherefore, the overall impact of the flaw is rated Moderate.",
  "acknowledgement" : "Red Hat would like to thank lujie for reporting this issue.",
  "package_state" : [ {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Out of support scope",
    "package_name" : "openstack-heat",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "fix_state" : "Will not fix",
    "package_name" : "openstack-heat",
    "cpe" : "cpe:/a:redhat:openstack:16.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Will not fix",
    "package_name" : "openstack-heat",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat OpenStack Platform 17.0",
    "fix_state" : "Affected",
    "package_name" : "openstack-heat",
    "cpe" : "cpe:/a:redhat:openstack:17.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-7319\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-7319" ],
  "name" : "CVE-2024-7319",
  "csaw" : false
}