CVE-2016-4972

NameCVE-2016-4972
DescriptionOpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs828062, 828063, 828064

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
murano (PTS)stretch1:3.0.0-6fixed
buster1:6.0.0-2fixed
bullseye, sid1:8.0.0-2fixed
murano-dashboard (PTS)stretch1:3.0.0-1fixed
buster1:6.0.0-3fixed
bullseye, sid1:8.0.0-1fixed
python-muranoclient (PTS)stretch0.11.1-1fixed
buster1.1.1-2fixed
bullseye, sid1.3.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
muranosource(unstable)1:2.0.1-1828062
murano-dashboardsource(unstable)1:2.0.0-5828064
python-muranoclientsource(unstable)0.8.3-4828063

Notes

Affects: Murano: <=2015.1.1; <=1.0.2; ==2.0.0
Affects: Murano-dashboard: <=2015.1.1; <=1.0.2; ==2.0.0
Affects: Python-muranoclient: <=0.7.2; >=0.8.0<=0.8.4

Search for package or bug name: Reporting problems