GitHub Advisory DatabaseGHSA-MVF6-HWXH-7V76

HistoryMar 18, 2024 - 9:30 a.m.

Information leakage in YAQL

2024-03-1809:30:30

CWE-200

GitHub Advisory Database

github.com

yaql

murano

information leakage

sensitive service account

muranopl

software vulnerability

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.8%

JSON

YAQL before 3.0.0 is used in Murano, the Murano service’s MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.

Affected configurations

Vulners

Node

yaqlRange<3.0.0

CPENameOperatorVersion
yaqllt3.0.0

CPE	Name	Operator	Version
	yaql	lt	3.0.0

References

bugs.launchpad.net/murano/+bug/2048114

github.com/advisories/GHSA-mvf6-hwxh-7v76

launchpad.net/bugs/2048114

nvd.nist.gov/vuln/detail/CVE-2024-29156

opendev.org/openstack/murano/tags

opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3

wiki.openstack.org/wiki/OSSN/OSSN-0093