CVE-2016-4972

NameCVE-2016-4972
DescriptionOpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs828062, 828063, 828064

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
murano (PTS)bullseye1:10.0.0-1fixed
bookworm1:14.0.0-3fixed
murano-dashboard (PTS)bullseye1:10.0.0-2fixed
bookworm1:14.0.0-1fixed
python-muranoclient (PTS)bullseye2.1.1-2fixed
bookworm2.5.0-2fixed
trixie, sid2.8.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
muranosource(unstable)1:2.0.1-1828062
murano-dashboardsource(unstable)1:2.0.0-5828064
python-muranoclientsource(unstable)0.8.3-4828063

Notes

Affects: Murano: <=2015.1.1; <=1.0.2; ==2.0.0
Affects: Murano-dashboard: <=2015.1.1; <=1.0.2; ==2.0.0
Affects: Python-muranoclient: <=0.7.2; >=0.8.0<=0.8.4
Search for package or bug name: Reporting problems