Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN248 _____________________________________________________________________ DATE : 04/03/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Openstack Vitrage versions <12.0.1, ==13.0.0, ==14.0.0, ==15.0.0. ===================================================================== https://security.openstack.org/ossa/OSSA-2026-003.html _____________________________________________________________________ OSSA-2026-003: Remote code execution through Vitrage query parser Date: March 03, 2026 CVE: CVE-2026-28370 Affects Vitrage: <12.0.1, ==13.0.0, ==14.0.0, ==15.0.0 Description Khalil Lemtaffah (Nokia) reported a vulnerability in the Vitrage query parser. A user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. Patches https://review.opendev.org/962671 (2023.1/antelope) https://review.opendev.org/962713 (2024.1/caracal) https://review.opendev.org/962712 (2024.2/dalmatian) https://review.opendev.org/962646 (2025.1/epoxy) https://review.opendev.org/962658 (2025.2/flamingo) https://review.opendev.org/962617 (2026.1/gazpacho) Credits Khalil Lemtaffah from Nokia (CVE-2026-28370) References https://storyboard.openstack.org/#!/story/2011539 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28370 Notes The stable/2023.1 branch is unmaintained and will receive no new point releases, but a patch for it is provided as a courtesy. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================