CVE-2016-4972

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2016-4972

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-4972.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2016-4972

Aliases

Related

UBUNTU-CVE-2016-4972

Published

2016-09-26T16:59:01Z

Modified

2024-12-30T11:45:25.967718Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.

References

Affected packages

Debian:11 / murano

Package

Name: murano
Purl: pkg:deb/debian/murano?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.0.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / murano

Package

Name: murano
Purl: pkg:deb/debian/murano?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.0.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / murano-dashboard

Package

Name: murano-dashboard
Purl: pkg:deb/debian/murano-dashboard?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.0.0-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / murano-dashboard

Package

Name: murano-dashboard
Purl: pkg:deb/debian/murano-dashboard?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.0.0-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / python-muranoclient

Package

Name: python-muranoclient
Purl: pkg:deb/debian/python-muranoclient?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.8.3-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / python-muranoclient

Package

Name: python-muranoclient
Purl: pkg:deb/debian/python-muranoclient?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.8.3-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/openstack/murano

Affected ranges

Type: GIT
Repo: https://github.com/openstack/murano
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

c9c8662d8253b40eaeb85cf93e9cb86247520efa

Last affected

dccf9ca767ff0d9112116adce25824063e08e581

Type: GIT
Repo: https://github.com/openstack/murano-dashboard.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

8489e43b09ebb50a89447ec1f37fb7e7e23bbd7b

Last affected

8fea820ab89daa520a1e737f2750d58c144d7976

Type: GIT
Repo: https://github.com/openstack/python-muranoclient.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

15a5de4be50ebe638f8568da6b7d7c8c2febf579

Last affected

242fead1acda6d84597b048caeafb90fe79769be

Affected versions

0.*

0.10.0

0.11.0

0.12.0

0.13.0

0.14.0

0.5.0

0.5.0.a1

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.6.0

0.6.1.0

0.6.2

0.6.3

0.7.0

0.7.1

0.8.0

0.8.1

0.8.2

0.8.3

0.9.0

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.2.0

1.3.0

2.*

2.0.0

Other

Demo02252013

iteration3-code-freeze

ocata-em

queens-em

stein-em

train-em