{"containers": {"cna": {"affected": [{"product": "tripleo-ansible", "vendor": "n/a", "versions": [{"status": "affected", "version": "As shipped in Red Hat Openstack 16.1"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-06T16:23:06", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954250"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2021-31918", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "tripleo-ansible", "version": {"version_data": [{"version_value": "As shipped in Red Hat Openstack 16.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1954250", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954250"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:10:30.968Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954250"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-31918", "datePublished": "2021-05-06T16:23:06", "dateReserved": "2021-04-29T00:00:00", "dateUpdated": "2024-08-03T23:10:30.968Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack:16.1:*:*:*:*:*:*:*", "matchCriteriaId": "C9D3F4FF-AD3D-4D17-93E8-84CAFCED2F59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en la versi\u00f3n tripleo-ansible como es enviado en Red Hat Openstack versi\u00f3n 16.1. El archivo de registro de Ansible es legible para todos los usuarios durante la actualizaci\u00f3n y creaci\u00f3n de la pila. La mayor amenaza de esta vulnerabilidad es la confidencialidad de los datos"}], "id": "CVE-2021-31918", "lastModified": "2024-11-21T06:06:30.537", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-06T17:15:08.180", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954250"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954250"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by C\u00e9dric Jeanneret (Red Hat).", "affected_release": [{"advisory": "RHSA-2021:2119", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "tripleo-ansible-0:0.5.1-1.20210323173506.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2021-05-26T00:00:00Z"}], "bugzilla": {"description": "tripleo-ansible: ansible.log file is visible to unprivileged users", "id": "1954250", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954250"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality.", "A flaw was found in tripleo-ansible. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality."], "mitigation": {"lang": "en:us", "value": "This vulnerability can be resolved by manually adjusting the file permissions. Run the following command: chmod o-r /var/lib/mistral/overcloud/ansible.log"}, "name": "CVE-2021-31918", "public_date": "2021-04-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-31918\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-31918"], "threat_severity": "Important", "upstream_fix": "tripleo-ansible 0.5.1"}