PT-2024-3877 · Openstack+1 · Openstack Murano+1

Edwardzpeng

+2

·

Published

2024-01-04

·

Updated

2025-03-25

·

CVE-2024-29156

CVSS v2.0

7.2

High

VectorAV:L/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions: OpenStack Murano versions prior to 16.0.0 with YAQL versions prior to 3.0.0
Description: The issue is related to the Murano service's MuranoPL extension to the YAQL language, which fails to sanitize the supplied environment. This could lead to potential leakage of sensitive service account information.
Recommendations: For OpenStack Murano versions prior to 16.0.0 with YAQL versions prior to 3.0.0, consider disabling the Murano service or fully removing it from all OpenStack deployments as a temporary workaround until a patch is available.

Fix

Improper Access Control

Improper Encoding or Escaping of Output

Information Disclosure

Incorrect Privilege Assignment

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-116CWE-200CWE-266

Related Identifiers

BDU:2024-04279
CVE-2024-29156
GHSA-MVF6-HWXH-7V76
OESA-2024-1328
OESA-2024-1329
OESA-2024-1330
OESA-2024-1331
OESA-2024-1332
RHSA-2024:1930
RHSA-2024:1931
RHSA-2024:4053

Affected Products

Debian
Openstack Murano