Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-29156

In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.

Published

2024-03-18T07:15:05.880

Last Modified

2025-03-25T20:15:21.533

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Primary
NVD-CWE-noinfo
Type: Secondary
CWE-116

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	openstack	murano	≤ 16.0.0	Yes
Application	openstack	yaql	< 3.0.0	Yes

References

https://launchpad.net/bugs/2048114 Issue Tracking, Third Party Advisory ([email protected])
https://opendev.org/openstack/murano/tags Issue Tracking ([email protected])
https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3 Patch ([email protected])
https://wiki.openstack.org/wiki/OSSN/OSSN-0093 Product ([email protected])
https://launchpad.net/bugs/2048114 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://opendev.org/openstack/murano/tags Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://wiki.openstack.org/wiki/OSSN/OSSN-0093 Product (af854a3a-2127-422b-91ae-364da2661108)