Vulnerability Description
OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openstack | Mitaka-Murano | <= 2.0.0 |
| Openstack | Murano | <= 1.0.2 |
| Openstack | Murano-Dashboard | <= 1.0.2 |
| Openstack | Python-Muranoclient | <= 0.7.2 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2016/06/23/8PatchThird Party Advisory
- https://bugs.launchpad.net/murano/+bug/1586079PatchVendor Advisory
- https://bugs.launchpad.net/python-muranoclient/+bug/1586078PatchVendor Advisory
- http://www.openwall.com/lists/oss-security/2016/06/23/8PatchThird Party Advisory
- https://bugs.launchpad.net/murano/+bug/1586079PatchVendor Advisory
- https://bugs.launchpad.net/python-muranoclient/+bug/1586078PatchVendor Advisory
FAQ
What is CVE-2016-4972?
CVE-2016-4972 is a vulnerability with a CVSS score of 9.8 (CRITICAL). OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x b...
How severe is CVE-2016-4972?
CVE-2016-4972 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-4972?
Check the references section above for vendor advisories and patch information. Affected products include: Openstack Mitaka-Murano, Openstack Murano, Openstack Murano-Dashboard, Openstack Python-Muranoclient.