CVE-2024-7319
Publication date 2 August 2024
Last updated 22 October 2024
Ubuntu priority
An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| heat | 24.10 oracular |
Vulnerable, fix deferred
|
| 24.04 LTS noble |
Vulnerable, fix deferred
|
|
| 22.04 LTS jammy |
Vulnerable, fix deferred
|
|
| 20.04 LTS focal |
Vulnerable, fix deferred
|
|
| 18.04 LTS bionic |
Vulnerable, fix deferred
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
Notes
mdeslaur
See openstack bug, there isn't likely to be a fix available for this issue. This vulnerability requires the "Abandon" feature to be enabled, while it is disabled by default. Fixing this will also break the "Adopt" feature, which is also disabled by default. As of 2024-10-22, there is no fix for this issue available from heat developers.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.0 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |