Source: vitrage Version: 14.0.0-4 Severity: serious Tags: patch security X-Debbugs-Cc: Debian Security Team <[email protected]>
https://security.openstack.org/ossa/OSSA-2026-003.html Date: March 03, 2026 CVE: CVE-2026-28370 Affects: Vitrage: <12.0.1, ==13.0.0, ==14.0.0, ==15.0.0 Description: Khalil Lemtaffah (Nokia) reported a vulnerability in the Vitrage query parser. A user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. Patches: https://review.opendev.org/962671 (2023.1/antelope) https://review.opendev.org/962713 (2024.1/caracal) https://review.opendev.org/962712 (2024.2/dalmatian) https://review.opendev.org/962646 (2025.1/epoxy) https://review.opendev.org/962658 (2025.2/flamingo) https://review.opendev.org/962617 (2026.1/gazpacho) Credits: Khalil Lemtaffah from Nokia (CVE-2026-28370) References: https://storyboard.openstack.org/#!/story/2011539 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28370 Notes: The stable/2023.1 branch is unmaintained and will receive no new point releases, but a patch for it is provided as a courtesy.
