Security readout for executives and security teams
Plain-English summary
CVE-2021-4472 is a medium-severity local file inclusion issue in the OpenStack mistral-dashboard plugin. An authenticated user with access to the Create Workbook feature may be able to make the application disclose arbitrary local file contents from the affected server context.
Executive priority
Prioritize remediation for OpenStack environments where mistral-dashboard is available to broad tenant, operator, or support user groups. The issue is not marked as actively exploited in the bundle, but the confidentiality impact is high because arbitrary local file disclosure may expose secrets or sensitive configuration.
Technical view
The vulnerability is classified as CWE-73 and has CVSS 3.1 score 6.5 with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The source bundle identifies the affected area as mistral-dashboard/python-mistralclient behavior reachable through the Create Workbook feature. The listed affected product set is Red Hat OpenStack Platform 13 (Queens), with multiple rhosp13 OpenStack package entries marked affected in the bundle.
Likely exposure
Exposure is most likely in OpenStack environments where Horizon/mistral-dashboard is deployed and reachable by authenticated users, especially Red Hat OpenStack Platform 13 (Queens) deployments matching the affected package entries in the bundle. The issue requires privileges, so anonymous internet exposure is not indicated by the provided CVSS vector.
Exploitation context
The bundle does not indicate CISA KEV listing and does not provide evidence of active exploitation. A successful attack would center on abusing Create Workbook functionality to trigger server-side local file inclusion and disclose file contents, but no exploit code, payload, or active exploitation source is provided.
Researcher notes
The affected list in the bundle is broad and Red Hat-specific, covering Red Hat OpenStack Platform 13 (Queens) package entries. The references include Red Hat, Launchpad, Bugzilla, OpenDev review links, and Debian LTS announcements, but the bundle does not include specific fixed version details. Avoid claiming active exploitation because KEV is false and no provided source states exploitation in the wild.
Mitigation direction
- Identify whether mistral-dashboard is deployed and whether the affected Red Hat OpenStack Platform 13 package entries are present.
- Apply vendor-provided security updates or fixed packages where available; if patch evidence is unclear for a specific deployment, check Red Hat, OpenStack, Debian, or distribution guidance before assuming a fixed version.
- Restrict access to Horizon/mistral-dashboard and the Create Workbook workflow to trusted users and roles until remediation is confirmed.
- Review application and access logs for unusual Create Workbook activity or file-read related errors without attempting exploit reproduction in production.
- Treat any exposed local secrets, configuration files, or credentials as potentially at risk if suspicious activity is found.
Validation and detection
- Confirm the deployed OpenStack release, mistral-dashboard presence, and relevant package inventory against the affected product/package list in the source bundle.
- Verify installed package versions against vendor advisories or distribution security updates rather than relying on package names alone.
- Confirm that only expected roles can access the Create Workbook feature.
- After applying updates, run the organization’s normal OpenStack dashboard regression tests and confirm workbook creation still works for legitimate inputs.
- Review logs for historical access to the vulnerable workflow and document whether any suspicious authenticated usage occurred.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-73: File access and web shell behavior lookup
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupContainer behavior lookup
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2021-4472 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 6.5 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N2.83.6Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
6.5MediumVector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Source materials
- CVE List V5 sourceCVE List V5
- https://access.redhat.com/security/cve/CVE-2021-4472CVE reference · vdb-entry, x_refsource_REDHAT
- https://bugs.launchpad.net/horizon/+bug/1931558CVE reference
- RHBZ#2417321CVE reference · issue-tracking, x_refsource_REDHAT
- https://review.opendev.org/c/openstack/mistral-dashboard/+/800952CVE reference
- https://review.opendev.org/c/openstack/python-mistralclient/+/800950CVE reference
- https://lists.debian.org/debian-lts-announce/2025/12/msg00002.htmlCVE reference
- https://lists.debian.org/debian-lts-announce/2025/12/msg00003.htmlCVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
External Control of File Name or Path
External Control of File Name or Path represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
