{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7319", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-07-31T04:01:49.906Z", "datePublished": "2024-08-02T20:36:24.314Z", "dateUpdated": "2025-01-02T14:20:45.636Z"}, "containers": {"cna": {"title": "Openstack-heat: incomplete fix for cve-2023-1625", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied."}], "affected": [{"versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "22.0.1"}], "packageName": "openstack-heat", "collectionURL": "https://github.com/openstack/heat", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 13 (Queens)", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-heat", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:openstack:13"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-heat", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openstack:16.1"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-heat", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openstack:16.2"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.0", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-heat", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openstack:17.0"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-7319", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258810", "name": "RHBZ#2258810", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-07-31T04:06:26+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "timeline": [{"lang": "en", "time": "2024-01-17T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-07-31T04:06:26+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank lujie for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-01-02T14:20:45.636Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-07T20:33:25.460176Z", "id": "CVE-2024-7319", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-07T20:33:49.446Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7319", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-07T20:33:25.460176Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-07T20:33:37.720Z"}}], "cna": {"title": "Openstack-heat: incomplete fix for cve-2023-1625", "credits": [{"lang": "en", "value": "Red Hat would like to thank lujie for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "22.0.1"}], "packageName": "openstack-heat", "collectionURL": "https://github.com/openstack/heat", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openstack:13"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 13 (Queens)", "packageName": "openstack-heat", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:openstack:16.1"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.1", "packageName": "openstack-heat", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openstack:16.2"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.2", "packageName": "openstack-heat", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openstack:17.0"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.0", "packageName": "openstack-heat", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-01-17T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-07-31T04:06:26+00:00", "value": "Made public."}], "datePublic": "2024-07-31T04:06:26+00:00", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-7319", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258810", "name": "RHBZ#2258810", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-01-02T14:20:45.636Z"}, "x_redhatCweChain": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}}, "cveMetadata": {"cveId": "CVE-2024-7319", "state": "PUBLISHED", "dateUpdated": "2025-01-02T14:20:45.636Z", "dateReserved": "2024-07-31T04:01:49.906Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-08-02T20:36:24.314Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:heat:-:*:*:*:*:*:*:*", "matchCriteriaId": "35EFBEEB-51E5-4202-A451-7C1B72E72497", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "C52600BF-9E87-4CD2-91F3-685AFE478C1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*", "matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*", "matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:17.0:*:*:*:*:*:*:*", "matchCriteriaId": "F7076B1E-0529-43CC-828B-45C2ED11F9F6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied."}, {"lang": "es", "value": "Se encontr\u00f3 una soluci\u00f3n incompleta para CVE-2023-1625 en openstack-heat. Es posible que se revele informaci\u00f3n confidencial a trav\u00e9s del comando de abandono de pila de OpenStack con la funci\u00f3n oculta configurada en True y la correcci\u00f3n CVE-2023-1625 aplicada."}], "id": "CVE-2024-7319", "lastModified": "2024-10-07T19:15:11.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2024-08-02T21:16:31.180", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-7319"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258810"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank lujie for reporting this issue.", "bugzilla": {"description": "openstack-heat: Incomplete fix for CVE-2023-1625", "id": "2258810", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258810"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-200", "details": ["An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied.", "An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied."], "name": "CVE-2024-7319", "package_state": [{"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "openstack-heat", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Will not fix", "package_name": "openstack-heat", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Will not fix", "package_name": "openstack-heat", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.0", "fix_state": "Affected", "package_name": "openstack-heat", "product_name": "Red Hat OpenStack Platform 17.0"}], "public_date": "2024-07-31T04:06:26Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-7319\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-7319"], "statement": "While this flaw leaks a password, which could reduce confidentiality, integrity, and availability, the impact to this triad is rated Low. This is because OpenStack can not be more broadly compromised for two reasons:\na) The host has separate authorization authority from the guest virtual machine\nb) The guest virtual machines that are configured by different stack configurations cannot be compromised\nTherefore, the overall impact of the flaw is rated Moderate.", "threat_severity": "Moderate"}