We know that exposing $p$, or $q$ or $\phi(n)$ results in trivial attacks on RSA since they allow us to factor $n$ and to compute the private exponent $d$.
In OpenSSL (and most RSA implementations) decryption is done via the CRT, so we store $n$ and $d$, but also store $d \bmod (p-1)$ and $d \bmod (q-1)$ as CRT exponents. Suppose these leaked... is there a practical attack?
Yes, there is a practical attack. Leaking those (or even just one of those) allows us to factor the modulus quite efficiently.
Suppose the attacker knows the values $n$, $e$ (the public exponent) and the value of $d \bmod (p-1)$ (which we will call $dp$).
Then, the attacker selects a value $m$, and then computes:
$gcd( n, m ^ {e \cdot dp-1} - 1 \bmod n)$
To see why this is likely to give us a nontrivial factor of $n$, let us consider the value of $m ^ {e \cdot dp-1} \bmod p$ (which we can do, even if we don't know the value of p). We see that this is:
$m ^ {e \cdot dp-1} \bmod p = 1$
This is because $e \cdot dp = 1 \mod (p-1)$ (and Fermat's Little Theorem).
In contrast, this same value modulo q is (with high probability, assuming $m$ was selected randomly) not 1, and so $m ^ {e \cdot dp-1} - 1 \bmod n$ will have $p$ as a factor, but not $q$. And thus,
$gcd( n, m ^ {e \cdot dp-1} - 1 \bmod n) = p$
with high probability.
