Improper Input Validation
CVE-2016-4972
Summary
OpenStack Murano before 1.0.3 (liberty), 2.x before 2.0.1 (mitaka), 2014.x and 2015.x, Murano-dashboard before 1.0.3 (liberty), 2.x before 2.0.1 (mitaka), 2014.x and 2015.x, and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Advisory Timeline
- Published