| Name | CVE-2024-29156 |
| Description | In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1068459 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| murano (PTS) | stretch | 1:3.0.0-6 | vulnerable |
| buster | 1:6.0.0-2 | vulnerable |
| bullseye | 1:10.0.0-1 | vulnerable |
| bookworm | 1:14.0.0-3 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| murano | source | stretch | (unfixed) | end-of-life | | |
| murano | source | (unstable) | (unfixed) | | | 1068459 |
Notes
[bookworm] - murano <ignored> (To be removed in point release)
[bullseye] - murano <ignored> (To be removed in point release)
https://bugs.launchpad.net/murano/+bug/2048114
https://wiki.openstack.org/wiki/OSSN/OSSN-0093
No fix in Murano, but a change in src:yaql renders this unexploitable:
https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3 (3.0.0)