Instack-undercloud: rsync leaks information to undercloud
CVE-2022-3596

7.5HIGH

Key Information:

Vendor
Red Hat
Status
Red Hat Openstack Platform 13.0 - Els
Red Hat Openstack Platform 13.0 (queens) For Rhel 7.6 Eus
Vendor
CVE Published:
20 September 2023

Summary

An information leak vulnerability has been identified in the OpenStack Undercloud, enabling unauthenticated remote attackers to gain access to sensitive data by merely discovering the undercloud's IP address. This flaw could potentially lead to the exposure of critical private information, including administrator access credentials, thereby heightening the risk of unauthorized access and data compromise.

Affected Version(s)

Red Hat OpenStack Platform 13.0 - ELS 0:8.4.9-13.el7ost

Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS 0:8.4.9-13.el7ost

References

https://access.redhat.com/errata/RHSA-2022:8897
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2022-3596
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2136596
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Maciej Relewicz (Juniper Networks) for reporting this issue.
.