{
	"document":{
		"aggregate_severity":{
			"namespace":"https://nvd.nist.gov/vuln-metrics/cvss",
			"text":"High"
		},
		"category":"csaf_vex",
		"csaf_version":"2.0",
		"distribution":{
			"tlp":{
				"label":"WHITE",
				"url":"https:/www.first.org/tlp/"
			}
		},
		"lang":"en",
		"notes":[
			{
				"text":"python-yaql security update",
				"category":"general",
				"title":"Synopsis"
			},
			{
				"text":"An update for python-yaql is now available for openEuler-22.03-LTS-SP3.",
				"category":"general",
				"title":"Summary"
			},
			{
				"text":"YAQL (Yet Another Query Language) is an embeddable and extensible query language, that allows performing complex queries against arbitrary objects. It has a vast and comprehensive standard library of frequently used querying functions and can be extend even further with user-specified functions. YAQL is written in python and is distributed via PyPI.\n\nSecurity Fix(es):\n\nIn OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.(CVE-2024-29156)",
				"category":"general",
				"title":"Description"
			},
			{
				"text":"An update for python-yaql is now available for openEuler-22.03-LTS-SP3.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.",
				"category":"general",
				"title":"Topic"
			},
			{
				"text":"High",
				"category":"general",
				"title":"Severity"
			},
			{
				"text":"python-yaql",
				"category":"general",
				"title":"Affected Component"
			}
		],
		"publisher":{
			"issuing_authority":"openEuler security committee",
			"name":"openEuler",
			"namespace":"https://www.openeuler.org",
			"contact_details":"openeuler-security@openeuler.org",
			"category":"vendor"
		},
		"references":[
			{
				"summary":"openEuler-SA-2024-1331",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1331"
			},
			{
				"summary":"CVE-2024-29156",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2024-29156&packageName=python-yaql"
			},
			{
				"summary":"nvd cve",
				"category":"external",
				"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29156"
			},
			{
				"summary":"openEuler-SA-2024-1331 vex file",
				"category":"self",
				"url":"https://repo.openeuler.org/security/data/csaf/advisories/2024/csaf-openeuler-sa-2024-1331.json"
			}
		],
		"title":"An update for python-yaql is now available for openEuler-22.03-LTS-SP3",
		"tracking":{
			"initial_release_date":"2024-03-29T09:13:49+08:00",
			"revision_history":[
				{
					"date":"2024-03-29T09:13:49+08:00",
					"summary":"Initial",
					"number":"1.0.0"
				},
				{
					"date":"2024-10-31T09:13:49+08:00",
					"summary":"final",
					"number":"2.0.0"
				}
			],
			"generator":{
				"date":"2024-10-31T09:13:49+08:00",
				"engine":{
					"name":"openEuler CSAF Tool V1.0"
				}
			},
			"current_release_date":"2024-10-31T09:13:49+08:00",
			"id":"openEuler-SA-2024-1331",
			"version":"2.0.0",
			"status":"final"
		}
	},
	"product_tree":{
		"branches":[
			{
				"name":"openEuler",
				"category":"vendor",
				"branches":[
					{
						"name":"openEuler",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3"
									},
									"product_id":"openEuler-22.03-LTS-SP3",
									"name":"openEuler-22.03-LTS-SP3"
								},
								"name":"openEuler-22.03-LTS-SP3",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"noarch",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3"
									},
									"product_id":"python3-yaql-2.0.0-2.oe2203sp3.noarch.rpm",
									"name":"python3-yaql-2.0.0-2.oe2203sp3.noarch.rpm"
								},
								"name":"python3-yaql-2.0.0-2.oe2203sp3.noarch.rpm",
								"category":"product_version"
							},
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3"
									},
									"product_id":"python-yaql-help-2.0.0-2.oe2203sp3.noarch.rpm",
									"name":"python-yaql-help-2.0.0-2.oe2203sp3.noarch.rpm"
								},
								"name":"python-yaql-help-2.0.0-2.oe2203sp3.noarch.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					},
					{
						"name":"src",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3"
									},
									"product_id":"python-yaql-2.0.0-2.oe2203sp3.src.rpm",
									"name":"python-yaql-2.0.0-2.oe2203sp3.src.rpm"
								},
								"name":"python-yaql-2.0.0-2.oe2203sp3.src.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					}
				]
			}
		],
		"relationships":[
			{
				"relates_to_product_reference":"openEuler-22.03-LTS-SP3",
				"product_reference":"python3-yaql-2.0.0-2.oe2203sp3.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-22.03-LTS-SP3:python3-yaql-2.0.0-2.oe2203sp3.noarch",
					"name":"python3-yaql-2.0.0-2.oe2203sp3.noarch as a component of openEuler-22.03-LTS-SP3"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-22.03-LTS-SP3",
				"product_reference":"python-yaql-help-2.0.0-2.oe2203sp3.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-22.03-LTS-SP3:python-yaql-help-2.0.0-2.oe2203sp3.noarch",
					"name":"python-yaql-help-2.0.0-2.oe2203sp3.noarch as a component of openEuler-22.03-LTS-SP3"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-22.03-LTS-SP3",
				"product_reference":"python-yaql-2.0.0-2.oe2203sp3.src.rpm",
				"full_product_name":{
					"product_id":"openEuler-22.03-LTS-SP3:python-yaql-2.0.0-2.oe2203sp3.src",
					"name":"python-yaql-2.0.0-2.oe2203sp3.src as a component of openEuler-22.03-LTS-SP3"
				},
				"category":"default_component_of"
			}
		]
	},
	"vulnerabilities":[
		{
			"cve":"CVE-2024-29156",
			"notes":[
				{
					"text":"In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.",
					"category":"description",
					"title":"Vulnerability Description"
				}
			],
			"product_status":{
				"fixed":[
					"openEuler-22.03-LTS-SP3:python3-yaql-2.0.0-2.oe2203sp3.noarch",
					"openEuler-22.03-LTS-SP3:python-yaql-help-2.0.0-2.oe2203sp3.noarch",
					"openEuler-22.03-LTS-SP3:python-yaql-2.0.0-2.oe2203sp3.src"
				]
			},
			"remediations":[
				{
					"product_ids":[
						"openEuler-22.03-LTS-SP3:python3-yaql-2.0.0-2.oe2203sp3.noarch",
						"openEuler-22.03-LTS-SP3:python-yaql-help-2.0.0-2.oe2203sp3.noarch",
						"openEuler-22.03-LTS-SP3:python-yaql-2.0.0-2.oe2203sp3.src"
					],
					"details":"python-yaql security update",
					"category":"vendor_fix",
					"url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1331"
				}
			],
			"scores":[
				{
					"cvss_v3":{
						"baseSeverity":"HIGH",
						"baseScore":8.4,
						"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
						"version":"3.1"
					},
					"products":[
						"openEuler-22.03-LTS-SP3:python3-yaql-2.0.0-2.oe2203sp3.noarch",
						"openEuler-22.03-LTS-SP3:python-yaql-help-2.0.0-2.oe2203sp3.noarch",
						"openEuler-22.03-LTS-SP3:python-yaql-2.0.0-2.oe2203sp3.src"
					]
				}
			],
			"threats":[
				{
					"details":"High",
					"category":"impact"
				}
			],
			"title":"CVE-2024-29156"
		}
	]
}