Mistral

security risk local file include (LFI)

Bug #1992829 reported by Sang Tran
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mistral
New
Undecided
Unassigned

Bug Description

Hello all,

I've found one security vulnerability of mistral project as described below.

Environment:
Openstack version Yoga.

Step to reproduce:
1. Go to mistral-dashboard
Workflow > Workbooks > Create Workbook > Direct Input
Workflow > Workflows > Create Workflows > Direct Input
Workfloư > Actions > Create Action > Direct Input
2. Input string: "/etc/environment" or "/etc/passwd"
3. Then click Validate and the mistral response all the data of that file

I also attached the example response with data of file "/etc/environment" on my testing environment. The attacker can leverage this bug to get content of very sensitive data from the server side of the OpenStack control-plane so I hope we can eliminate this as soon as possible.

Revision history for this message
Sang Tran (sangtq8) wrote :
Sang Tran (sangtq8)
information type: Private Security → Public
information type: Public → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.