Search criteria
3 vulnerabilities found for yaql by openstack
FKIE_CVE-2024-29156
Vulnerability from fkie_nvd - Published: 2024-03-18 07:15 - Updated: 2025-03-25 20:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:murano:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF1912AF-D90E-47E5-8964-7DB9A611E940",
"versionEndIncluding": "16.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:yaql:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A6F49D33-63BF-4762-AE0D-4435A6E60C5F",
"versionEndExcluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service\u0027s MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information."
},
{
"lang": "es",
"value": "En OpenStack Murano hasta 16.0.0, cuando se utiliza YAQL anterior a 3.0.0, la extensi\u00f3n MuranoPL del servicio Murano para el lenguaje YAQL no logra sanitizar el entorno proporcionado, lo que genera una posible fuga de informaci\u00f3n confidencial de la cuenta de servicio."
}
],
"id": "CVE-2024-29156",
"lastModified": "2025-03-25T20:15:21.533",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-03-18T07:15:05.880",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://launchpad.net/bugs/2048114"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://opendev.org/openstack/murano/tags"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0093"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://launchpad.net/bugs/2048114"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://opendev.org/openstack/murano/tags"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0093"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
CVE-2024-29156 (GCVE-0-2024-29156)
Vulnerability from cvelistv5 – Published: 2024-03-18 00:00 – Updated: 2025-03-25 20:07
VLAI?
Summary
In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29156",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-18T19:16:54.949618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T20:07:53.472Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:53.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0093"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.net/bugs/2048114"
},
{
"tags": [
"x_transferred"
],
"url": "https://opendev.org/openstack/murano/tags"
},
{
"tags": [
"x_transferred"
],
"url": "https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service\u0027s MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-18T06:35:36.354Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0093"
},
{
"url": "https://launchpad.net/bugs/2048114"
},
{
"url": "https://opendev.org/openstack/murano/tags"
},
{
"url": "https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-29156",
"datePublished": "2024-03-18T00:00:00.000Z",
"dateReserved": "2024-03-18T00:00:00.000Z",
"dateUpdated": "2025-03-25T20:07:53.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29156 (GCVE-0-2024-29156)
Vulnerability from nvd – Published: 2024-03-18 00:00 – Updated: 2025-03-25 20:07
VLAI?
Summary
In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29156",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-18T19:16:54.949618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T20:07:53.472Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:53.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0093"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.net/bugs/2048114"
},
{
"tags": [
"x_transferred"
],
"url": "https://opendev.org/openstack/murano/tags"
},
{
"tags": [
"x_transferred"
],
"url": "https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service\u0027s MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-18T06:35:36.354Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0093"
},
{
"url": "https://launchpad.net/bugs/2048114"
},
{
"url": "https://opendev.org/openstack/murano/tags"
},
{
"url": "https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-29156",
"datePublished": "2024-03-18T00:00:00.000Z",
"dateReserved": "2024-03-18T00:00:00.000Z",
"dateUpdated": "2025-03-25T20:07:53.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}