#VU76912 Information disclosure in Heat - CVE-2023-1625

Cybersecurity Help s.r.o.

Published: 2023-06-05

Vulnerability identifier: #VU76912

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-1625

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Heat
Server applications / Other server solutions

Vendor: Openstack

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the "stack show" command. A remote user can reveal parameters which are supposed to remain hidden.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Heat: before 20.0.0

External links
https://bugzilla.redhat.com/show_bug.cgi?id=2181621
https://github.com/openstack/heat/commit/a49526c278e52823080c7f3fcb72785b93fd4dcb

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for heat

SUSE update for openstack-heat, openstack-swift, python-Werkzeug

SUSE update for openstack-heat, python-Werkzeug

Ubuntu update for heat

Information disclosure in Openstack Heat