./python-muranoclient/muranoclient/v1/shell.py:258: archive_name = args.output or tempfile.mktemp(prefix="murano_")
try:
if args.template:
directory_path = hot_package.prepare_package(args)
else:
directory_path = mpl_package.prepare_package(args)
archive_name = args.output or tempfile.mktemp(prefix="murano_")
_make_archive(archive_name, directory_path)
print("Application package is available at " +
os.path.abspath(archive_name))
this is highly insecure and allows an attacker to modify the contents of the archive, assuming no arg name was passed. This code does not appear to be used, but is still CVE worthy as the code may be used (ref: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1692). Exploitation of this vuln would appear to lead to code execution (e.g. modify the archive package which is then used while deploying systems).
The offending code seems to have been replaced months ago as a side effect of https:/ /review. openstack. org/204048 (so fixed in 0.6.3), and was originally introduced in 8468a03 which first appeared in the 0.5.3 release.