CVE-2024-29156

NameCVE-2024-29156
DescriptionIn OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1068459

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
murano (PTS)buster1:6.0.0-2vulnerable
bullseye1:10.0.0-1vulnerable
bookworm1:14.0.0-3vulnerable
sid, trixie1:16.0.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
muranosource(unstable)(unfixed)1068459

Notes

https://bugs.launchpad.net/murano/+bug/2048114
https://wiki.openstack.org/wiki/OSSN/OSSN-0093
No fix in Murano, but a change in src:yaql renders this unexploitable:
https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3 (3.0.0)

Search for package or bug name: Reporting problems