CRITICAL 9.8
PYSEC-2026-430
OpenStack Murano Code Execution
상세
OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
PyPI / murano-dashboard
최초 영향 버전:
2.0.0 수정 버전: 2.0.1 수정
pip install --upgrade 'murano-dashboard>=2.0.1' 참고
- https://nvd.nist.gov/vuln/detail/CVE-2016-4972 [ADVISORY]
- https://github.com/openstack/murano/commit/28de8c36c9dbe4aaf4d062e6fb6099afd437f49b [WEB]
- https://bugs.launchpad.net/murano/+bug/1586079 [WEB]
- https://bugs.launchpad.net/python-muranoclient/+bug/1586078 [WEB]
- https://github.com/openstack/murano [PACKAGE]
- https://github.com/openstack/murano/blob/c898a310afbc27f12190446ef75d8b0bd12115eb/releasenotes/notes/safeloader-cve-2016-4972-19035a2a091ec30a.yaml [WEB]
- https://github.com/openstack/murano/blob/c898a310afbc27f12190446ef75d8b0bd12115eb/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po [WEB]
- https://github.com/pypa/advisory-database/tree/main/vulns/python-muranoclient/PYSEC-2016-22.yaml [WEB]
- http://www.openwall.com/lists/oss-security/2016/06/23/8 [WEB]
- https://pypi.org/project/murano-dashboard [PACKAGE]
- https://github.com/advisories/GHSA-87r7-q54j-f9qg [ADVISORY]