CVE-2024-29156

NameCVE-2024-29156
DescriptionIn OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1068459

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
murano (PTS)bullseye1:10.0.0-1vulnerable
bookworm1:14.0.0-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
muranosource(unstable)(unfixed)1068459

Notes

[bookworm] - murano <ignored> (To be removed in point release)
[bullseye] - murano <ignored> (To be removed in point release)
[buster] - murano <ignored> (unmaintained upstream)
https://bugs.launchpad.net/murano/+bug/2048114
https://wiki.openstack.org/wiki/OSSN/OSSN-0093
No fix in Murano, but a change in src:yaql renders this unexploitable:
https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3 (3.0.0)

Search for package or bug name: Reporting problems