-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe analysis focused on the local file inclusion vulnerability (CVE-2021-4472) in OpenStack's mistral-dashboard. The root cause was a 'double-loading' problem where user-supplied input, intended to be a workbook definition, was misinterpreted as a file path by the python-mistralclient library. The investigation of the bug reports and the corresponding patches in both mistral-dashboard and python-mistralclient confirmed this. The vulnerable functions were identified by tracing the flow of user input from the dashboard to the client library. The mistraldashboard.api.workbook_validate function was the entry point, passing the raw input to mistralclient.api.v2.workbooks.WorkbookManager.validate. The validate function, in turn, would incorrectly invoke mistralclient.utils.load_file to read the file from the disk. The patches addressed this by introducing a definition_is_raw flag to explicitly prevent the file-loading behavior, thus confirming the roles of these functions in the vulnerability.
mistraldashboard.api.workbook_validatemistraldashboard/api.py
mistralclient.api.v2.workbooks.WorkbookManager.validatemistralclient/api/v2/workbooks.py
mistralclient.utils.load_filemistralclient/utils.py
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| python-mistralclient | pip | < 4.3.0 | 4.3.0 |
PythonPythonOngoing coverage of React2Shell