CVE-2024-29156
Information leakage in YAQL
6.5
MEDIUM
CVSS 3.1
EPSS 0.23%
Description
In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.
How to fix CVE-2024-29156
To remediate CVE-2024-29156, upgrade the affected package to a fixed version below.
- Debian/murano—no fix listed
- —upgrade to 3.0.0 or later
Is CVE-2024-29156 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- from 0, < 3.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |