Remote Code Execution in OpenStack Murano and Dashboard by improper YAML parsing
CVE-2016-4972

9.8CRITICAL

Key Information:

Vendor
Openstack
Vendor
CVE Published:
26 September 2016

Summary

OpenStack Murano, including its dashboard and the python-muranoclient, suffers from vulnerabilities due to improper handling of YAML loaders. This flaw enables remote attackers to design malicious YAML tags that can instantiate arbitrary Python objects. When exploited, this could lead to the execution of arbitrary code during the processing of UI definitions in Murano packages, posing significant risks to affected systems.

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.