Smelikyan

**Name of the Vulnerable Software and Affected Versions** OpenStack Murano versions prior to 1.0.3 (liberty) and prior to 2.0.1 (mitaka) Murano-dashboard versions prior to 1.0.3 (liberty) and prior to 2.0.1 (mitaka) python-muranoclient versions prior to 0.7.3 (liberty) and prior to 0.8.5 (mitaka) **Description** The issue allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages. This is due to the improper use of loaders inherited from `yaml.Loader` when parsing MuranoPL and UI files. **Recommendations** For OpenStack Murano versions prior to 1.0.3 (liberty) and prior to 2.0.1 (mitaka), update to version 1.0.3 (liberty) or 2.0.1 (mitaka) to resolve the issue. For Murano-dashboard versions prior to 1.0.3 (liberty) and prior to 2.0.1 (mitaka), update to version 1.0.3 (liberty) or 2.0.1 (mitaka) to resolve the issue. For python-muranoclient versions prior to 0.7.3 (liberty) and prior to 0.8.5 (mitaka), update to version 0.7.3 (liberty) or 0.8.5 (mitaka) to resolve the issue.