CVE-2024-29156
MEDIUM6.5EPSS 0.23%Information leakage in YAQL
發布日:2024/3/18修改日:2026/4/28
描述
In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.
受影響套件(2)
- Debian/muranofrom 0
- PyPI/yaqlfrom 0, < 3.0.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-29156
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-29156
- WEBhttps://bugs.launchpad.net/murano/+bug/2048114
- WEBhttps://launchpad.net/bugs/2048114
- WEBhttps://opendev.org/openstack/murano/tags
- WEBhttps://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3
- WEBhttps://wiki.openstack.org/wiki/OSSN/OSSN-0093