OpenStack Murano prior to 1.0.3 (liberty) and 2.x prior to 2.0.1 (mitaka), Murano-dashboard prior to 1.0.3 (liberty) and 2.x prior to 2.0.1 (mitaka), and python-muranoclient prior to 0.7.3 (liberty) and 0.8.x prior to 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote malicious users to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
openstack murano |
||
openstack mitaka-murano |
||
openstack python-muranoclient |
||
openstack murano-dashboard |