CVE-2024-29156: Infoleak
First published: Tue Mar 12 2024(Updated: )
In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/yaql | <3.0.0 | 3.0.0 |
| OpenStack Mitaka-Murano | <=16.0.0 | |
| OpenStack Yaql | <3.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://launchpad.net/bugs/2048114
- https://opendev.org/openstack/murano/tags
- https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3
- https://wiki.openstack.org/wiki/OSSN/OSSN-0093
- https://nvd.nist.gov/vuln/detail/CVE-2024-29156
- https://bugs.launchpad.net/murano/+bug/2048114
- https://github.com/advisories/GHSA-mvf6-hwxh-7v76 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2270037
- https://access.redhat.com/errata/RHSA-2024:1931
- https://access.redhat.com/errata/RHSA-2024:1930
- https://access.redhat.com/errata/RHSA-2024:4053
- https://bugzilla.redhat.com/show_bug.cgi?id=2269112
Frequently Asked Questions
What is the severity of CVE-2024-29156?
CVE-2024-29156 is classified as a critical vulnerability due to its potential for sensitive data leakage.
How do I fix CVE-2024-29156?
To fix CVE-2024-29156, upgrade YAQL to version 3.0.0 or later.
What versions of Murano are affected by CVE-2024-29156?
CVE-2024-29156 affects OpenStack Murano through version 16.0.0.
What types of information could be leaked due to CVE-2024-29156?
CVE-2024-29156 could lead to leakage of sensitive service account information.
Is the vulnerability CVE-2024-29156 specific to certain OpenStack components?
Yes, CVE-2024-29156 specifically affects the Murano service and the YAQL language prior to version 3.0.0.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-mvf6-hwxh-7v76
- alias/CVE-2024-29156
- agent/software-canonical-lookup
- agent/weakness
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- agent/epss
- collector/epss-latest
- source/FIRST
- agent/first-publish-date
- agent/description
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- agent/trending
- agent/source
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- agent/tags
- collector/nvd-api
- package-manager/pip
- vendor/openstack
- canonical/openstack mitaka-murano
- version/openstack mitaka-murano/16.0.0
- canonical/openstack yaql