This issue was fixed in the openstack/murano-dashboard 1.0.3 release. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1586079 Title: YaqlYamlLoader inherits from YamlLoader Status in Murano: Fix Released Status in Murano kilo series: Won't Fix Status in Murano liberty series: Fix Released Status in Murano mitaka series: Fix Released Status in Murano newton series: Fix Released Bug description: YaqlYamlLoader inherits from YamlLoader, meaning that it is possible to use extended unsafe tags in yaml files http://pyyaml.org/wiki/PyYAMLDocumentation#YAMLtagsandPythontypes Both dashboard, engine/api seem to be vulnerable. To manage notifications about this bug go to: https://bugs.launchpad.net/murano/+bug/1586079/+subscriptions