{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1625", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-03-24T19:25:35.529Z", "datePublished": "2023-09-24T00:08:12.738Z", "dateUpdated": "2024-09-24T14:59:25.505Z"}, "containers": {"cna": {"title": "Information leak in api", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system."}], "affected": [{"product": "openstack-heat", "vendor": "n/a", "defaultStatus": "affected"}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 13 (Queens)", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-heat", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:openstack:13"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-heat", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openstack:16.1"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-heat", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openstack:16.2"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.0", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-heat", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openstack:17.0"]}, {"product": "OpenStack RDO", "vendor": "RDO", "collectionURL": "https://repos.fedorapeople.org/repos/openstack/", "packageName": "openstack-heat", "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1625", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181621", "name": "RHBZ#2181621", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/openstack/heat/commit/a49526c278e52823080c7f3fcb72785b93fd4dcb"}, {"url": "https://launchpad.net/bugs/1999665"}], "datePublic": "2023-01-27T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-202", "description": "Exposure of Sensitive Information Through Data Queries", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-202: Exposure of Sensitive Information Through Data Queries", "timeline": [{"lang": "en", "time": "2023-03-24T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-01-27T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Chengen Du (Canonical) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-09-24T00:08:12.738Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:57:24.554Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1625", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181621", "name": "RHBZ#2181621", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/openstack/heat/commit/a49526c278e52823080c7f3fcb72785b93fd4dcb", "tags": ["x_transferred"]}, {"url": "https://launchpad.net/bugs/1999665", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-24T14:59:09.559299Z", "id": "CVE-2023-1625", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T14:59:25.505Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1625", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181621", "name": "RHBZ#2181621", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/openstack/heat/commit/a49526c278e52823080c7f3fcb72785b93fd4dcb", "tags": ["x_transferred"]}, {"url": "https://launchpad.net/bugs/1999665", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:57:24.554Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-1625", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-24T14:59:09.559299Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T14:59:19.615Z"}}], "cna": {"title": "Information leak in api", "credits": [{"lang": "en", "value": "Red Hat would like to thank Chengen Du (Canonical) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "openstack-heat", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openstack:13"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 13 (Queens)", "packageName": "openstack-heat", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:openstack:16.1"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.1", "packageName": "openstack-heat", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openstack:16.2"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.2", "packageName": "openstack-heat", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openstack:17.0"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.0", "packageName": "openstack-heat", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"vendor": "RDO", "product": "OpenStack RDO", "packageName": "openstack-heat", "collectionURL": "https://repos.fedorapeople.org/repos/openstack/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2023-03-24T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-01-27T00:00:00+00:00", "value": "Made public."}], "datePublic": "2023-01-27T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1625", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181621", "name": "RHBZ#2181621", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/openstack/heat/commit/a49526c278e52823080c7f3fcb72785b93fd4dcb"}, {"url": "https://launchpad.net/bugs/1999665"}], "descriptions": [{"lang": "en", "value": "An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-202", "description": "Exposure of Sensitive Information Through Data Queries"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-09-24T00:08:12.738Z"}, "x_redhatCweChain": "CWE-202: Exposure of Sensitive Information Through Data Queries"}}, "cveMetadata": {"cveId": "CVE-2023-1625", "state": "PUBLISHED", "dateUpdated": "2024-09-24T14:59:25.505Z", "dateReserved": "2023-03-24T19:25:35.529Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2023-09-24T00:08:12.738Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:heat:-:*:*:*:*:*:*:*", "matchCriteriaId": "35EFBEEB-51E5-4202-A451-7C1B72E72497", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "C52600BF-9E87-4CD2-91F3-685AFE478C1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*", "matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*", "matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:17.0:*:*:*:*:*:*:*", "matchCriteriaId": "F7076B1E-0529-43CC-828B-45C2ED11F9F6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system."}, {"lang": "es", "value": "Se descubri\u00f3 una fuga de informaci\u00f3n en OpenStack Heat. Este problema podr\u00eda permitir que un atacante remoto y autenticado utilice el comando 'stack show' para revelar par\u00e1metros que se supone deben permanecer ocultos. Esto tiene un impacto bajo en la confidencialidad, integridad y disponibilidad del sistema."}], "id": "CVE-2023-1625", "lastModified": "2023-11-07T04:04:22.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 3.7, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-09-24T01:15:43.577", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-1625"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181621"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "https://github.com/openstack/heat/commit/a49526c278e52823080c7f3fcb72785b93fd4dcb"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://launchpad.net/bugs/1999665"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-202"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Chengen Du (Canonical) for reporting this issue.", "bugzilla": {"description": "openstack-heat: information leak in API", "id": "2181621", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181621"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-202", "details": ["An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system.", "An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system."], "name": "CVE-2023-1625", "package_state": [{"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "openstack-heat", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Will not fix", "package_name": "openstack-heat", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Will not fix", "package_name": "openstack-heat", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.0", "fix_state": "Fix deferred", "package_name": "openstack-heat", "product_name": "Red Hat OpenStack Platform 17.0"}], "public_date": "2023-01-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-1625\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-1625\nhttps://github.com/openstack/heat/commit/a49526c278e52823080c7f3fcb72785b93fd4dcb\nhttps://launchpad.net/bugs/1999665"], "statement": "While this flaw leaks a password which could reduce confidentiality, integrity, and availability, the impact to this triad is rated low. This is because OpenStack can not be more broadly compromised for two reasons:\na) The host has separate authorization authority from the guest virtual machine\nb) The guest virtual machines that are configured by different stack configurations cannot be compromised\nTherefore the overall impact of the flaw is rated Moderate.", "threat_severity": "Moderate", "upstream_fix": "openstack-heat 22.0.0.0rc1"}