Vulnerabilities > CVE-2024-29156 - Unspecified vulnerability in Openstack Murano and Yaql

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

openstack

NVD

Published: 2024-03-18

Updated: 2025-02-27

Summary

In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.

Vulnerable Configurations

Part	Description	Count
Application	Openstack Openstack Yaql * Openstack Murano 1.0.2	2

References

https://launchpad.net/bugs/2048114
https://launchpad.net/bugs/2048114
https://opendev.org/openstack/murano/tags
https://opendev.org/openstack/murano/tags
https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3
https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3
https://wiki.openstack.org/wiki/OSSN/OSSN-0093
https://wiki.openstack.org/wiki/OSSN/OSSN-0093