Vulnerability Description
In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openstack | Murano | <= 16.0.0 |
| Openstack | Yaql | < 3.0.0 |
Related Weaknesses (CWE)
References
- https://launchpad.net/bugs/2048114Issue TrackingThird Party Advisory
- https://opendev.org/openstack/murano/tagsIssue Tracking
- https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909Patch
- https://wiki.openstack.org/wiki/OSSN/OSSN-0093Product
- https://launchpad.net/bugs/2048114Issue TrackingThird Party Advisory
- https://opendev.org/openstack/murano/tagsIssue Tracking
- https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909Patch
- https://wiki.openstack.org/wiki/OSSN/OSSN-0093Product
FAQ
What is CVE-2024-29156?
CVE-2024-29156 is a vulnerability with a CVSS score of 6.5 (MEDIUM). In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakag...
How severe is CVE-2024-29156?
CVE-2024-29156 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-29156?
Check the references section above for vendor advisories and patch information. Affected products include: Openstack Murano, Openstack Yaql.