OpenStack Murano up to 16.0.0 YAQL information disclosure

Summaryinfo

A vulnerability, which was classified as problematic, has been found in OpenStack Murano up to 16.0.0. This affects an unknown function of the component YAQL. The manipulation leads to information disclosure. This vulnerability is documented as CVE-2024-29156. There is not any exploit available. It is recommended to apply a patch to fix this issue.

Detailsinfo

A vulnerability was found in OpenStack Murano up to 16.0.0. It has been rated as problematic. This issue affects an unknown functionality of the component YAQL. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. The summary by CVE is:

In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.

It is possible to read the advisory at wiki.openstack.org. The identification of this vulnerability is CVE-2024-29156. The exploitation is known to be difficult. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.

Applying a patch is able to eliminate this problem.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Cloud Software

Vendor

• OpenStack

Name

• Murano

Version

• 16.0

License

• free

Website

• Vendor: https://www.openstack.org/

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion