CVE-2016-4972

NameCVE-2016-4972
DescriptionOpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs828062, 828063, 828064

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
murano (PTS)stretch1:3.0.0-6fixed
buster1:6.0.0-2fixed
bullseye, sid1:7.0.0-4fixed
murano-dashboard (PTS)stretch1:3.0.0-1fixed
bullseye, sid, buster1:6.0.0-3fixed
python-muranoclient (PTS)stretch0.11.1-1fixed
buster1.1.1-2fixed
bullseye, sid1.2.0-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
muranosource(unstable)1:2.0.1-1high828062
murano-dashboardsource(unstable)1:2.0.0-5high828064
python-muranoclientsource(unstable)0.8.3-4high828063

Notes

Affects: Murano: <=2015.1.1; <=1.0.2; ==2.0.0
Affects: Murano-dashboard: <=2015.1.1; <=1.0.2; ==2.0.0
Affects: Python-muranoclient: <=0.7.2; >=0.8.0<=0.8.4

Search for package or bug name: Reporting problems