{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-29156", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-03-25T20:07:53.472Z", "dateReserved": "2024-03-18T00:00:00.000Z", "datePublished": "2024-03-18T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-18T06:35:36.354Z"}, "descriptions": [{"lang": "en", "value": "In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0093"}, {"url": "https://launchpad.net/bugs/2048114"}, {"url": "https://opendev.org/openstack/murano/tags"}, {"url": "https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-116", "lang": "en", "description": "CWE-116 Improper Encoding or Escaping of Output"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-03-18T19:16:54.949618Z", "id": "CVE-2024-29156", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-25T20:07:53.472Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:53.909Z"}, "title": "CVE Program Container", "references": [{"url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0093", "tags": ["x_transferred"]}, {"url": "https://launchpad.net/bugs/2048114", "tags": ["x_transferred"]}, {"url": "https://opendev.org/openstack/murano/tags", "tags": ["x_transferred"]}, {"url": "https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0093", "tags": ["x_transferred"]}, {"url": "https://launchpad.net/bugs/2048114", "tags": ["x_transferred"]}, {"url": "https://opendev.org/openstack/murano/tags", "tags": ["x_transferred"]}, {"url": "https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:53.909Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-29156", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-18T19:16:54.949618Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:18.555Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0093"}, {"url": "https://launchpad.net/bugs/2048114"}, {"url": "https://opendev.org/openstack/murano/tags"}, {"url": "https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3"}], "descriptions": [{"lang": "en", "value": "In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-18T06:35:36.354Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29156", "state": "PUBLISHED", "dateUpdated": "2025-03-25T20:07:53.472Z", "dateReserved": "2024-03-18T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-03-18T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:murano:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF1912AF-D90E-47E5-8964-7DB9A611E940", "versionEndIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:yaql:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6F49D33-63BF-4762-AE0D-4435A6E60C5F", "versionEndExcluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information."}, {"lang": "es", "value": "En OpenStack Murano hasta 16.0.0, cuando se utiliza YAQL anterior a 3.0.0, la extensi\u00f3n MuranoPL del servicio Murano para el lenguaje YAQL no logra sanitizar el entorno proporcionado, lo que genera una posible fuga de informaci\u00f3n confidencial de la cuenta de servicio."}], "id": "CVE-2024-29156", "lastModified": "2025-03-25T20:15:21.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-18T07:15:05.880", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://launchpad.net/bugs/2048114"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://opendev.org/openstack/murano/tags"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0093"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://launchpad.net/bugs/2048114"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://opendev.org/openstack/murano/tags"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0093"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-116"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank lawliet and edwardpeng(@edwardzpeng) (Sangfor Security Research Team) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2024:4053", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "openstack-tripleo-common-0:11.7.1-2.20230809225405.e189622.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4053", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "openstack-tripleo-heat-templates-0:11.6.1-2.20230808225220.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4053", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "python-yaql-0:1.1.3-9.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:1930", "cpe": "cpe:/a:redhat:openstack:17.1::el8", "package": "openstack-tripleo-heat-templates-0:14.3.1-17.1.20231103003748.2.el8ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1930", "cpe": "cpe:/a:redhat:openstack:17.1::el8", "package": "python-yaql-0:1.1.3-11.el8ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1931", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "openstack-tripleo-heat-templates-0:14.3.1-17.1.20231103010826.2.el9ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1931", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "python-yaql-0:1.1.3-11.el9ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2024-04-22T00:00:00Z"}], "bugzilla": {"description": "YAQL: OpenStack Murano Component Information Leakage", "id": "2269112", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269112"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-200", "details": ["In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.", "A flaw was found in the Murano component of OpenStack. This vulnerability allows ordinary users capable of importing and deploying app packages to access sensitive information within OpenStack services. Specifically, through this exploit, unauthorized users can obtain Murano service account credentials, potentially escalating their privileges to an administrator level. Subsequently, unauthorized users can gain complete control over various resources, including user roles, hosts, and networks. The exploit allows access to the Murano service's oslo configuration storage, thereby exposing critical Murano service account credentials, and granting unauthorized users administrative privileges."], "name": "CVE-2024-29156", "package_state": [{"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Out of support scope", "package_name": "openstack-heat", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Out of support scope", "package_name": "openstack-tripleo-heat-templates", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "openstack-heat", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "openstack-heat", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "rhel8/python-yaql", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "rhel9/python-yaql", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "openstack-heat", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2024-03-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-29156\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-29156\nhttps://bugs.launchpad.net/murano/+bug/2048114"], "threat_severity": "Important"}