Skip to main content

Improper Input Validation

CVE-2016-4972

Severity High
Score 9.8/10

Summary

OpenStack Murano before 1.0.3 (liberty), 2.x before 2.0.1 (mitaka), 2014.x and 2015.x, Murano-dashboard before 1.0.3 (liberty), 2.x before 2.0.1 (mitaka), 2014.x and 2015.x, and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-20 - Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Advisory Timeline

  • Published