CVE-2024-29156

Source
https://cve.org/CVERecord?id=CVE-2024-29156
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-29156.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-29156
Aliases
Downstream
Published
2024-03-18T07:15:05.880Z
Modified
2026-04-10T05:12:08.013004Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.

References

Affected packages

Git / github.com/openstack/murano

Affected ranges

Type
GIT
Repo
https://github.com/openstack/murano
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "16.0.0"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "3.0.0"
        }
    ]
}

Affected versions

1.*
1.0.0
1.0.0.0b1
1.0.0.0b2
1.0.0.0b3
1.0.0.0rc1
1.0.0.0rc2
1.0.0a0
10.*
10.0.0
10.0.0.0rc1
11.*
11.0.0
11.0.0.0rc1
12.*
12.0.0
12.0.0.0rc1
13.*
13.0.0.0rc1
14.*
14.0.0
14.0.0.0rc1
15.*
15.0.0
15.0.0.0rc1
16.*
16.0.0
16.0.0.0rc1
2.*
2.0.0.0b1
2.0.0.0b2
2.0.0.0b3
2.0.0.0rc1
2014.*
2014.2.b1
2014.2.b2
2014.2.b3
2014.2.rc1
2014.2.rc2
2015.*
2015.1.0b1
2015.1.0b2
2015.1.0b3
2015.1.0rc1
3.*
3.0.0.0b1
3.0.0.0b2
3.0.0.0b3
3.0.0.0rc1
3.1.0
3.2.0
4.*
4.0.0.0b1
4.0.0.0b2
4.0.0.0b3
4.0.0.0rc1
5.*
5.0.0.0b1
5.0.0.0b2
5.0.0.0b3
5.0.0.0rc1
6.*
6.0.0
6.0.0.0b1
6.0.0.0b3
6.0.0.0rc1
7.*
7.0.0.0rc1
8.*
8.0.0
8.0.0.0rc1
9.*
9.0.0.0rc1
Other
i4
iteration3-code-freeze
ocata-em
victoria-em
wallaby-em
xena-em

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-29156.json"