CVE-2020-26943
CRITICALOpenStack blazar-dashboard < 1.3.1 - Remote Code Execution via Python eval Function
Title source: llmDescription
An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2.0.0, and 3.0.0. A user allowed to access the Blazar dashboard in Horizon may trigger code execution on the Horizon host as the user the Horizon service runs under (because the Python eval function is used). This may result in Horizon host unauthorized access and further compromise of the Horizon service. All setups using the Horizon dashboard with the blazar-dashboard plugin are affected.
References (8)
Core 8
Core References
Third Party Advisory x_refsource_misc
https://launchpad.net/bugs/1895688
Third Party Advisory x_refsource_misc
https://review.opendev.org/755810
Third Party Advisory x_refsource_misc
https://review.opendev.org/756064
Third Party Advisory x_refsource_misc
https://review.opendev.org/755812
Third Party Advisory x_refsource_misc
https://review.opendev.org/755813
Third Party Advisory x_refsource_misc
https://review.opendev.org/755814
Third Party Advisory x_refsource_confirm
https://security.openstack.org/ossa/OSSA-2020-007.html
Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/10/16/5
Scores
CVSS v3
9.9
EPSS
0.0152
EPSS Percentile
81.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
Status
published
Products (4)
openstack/blazar-dashboard
2.0.0
openstack/blazar-dashboard
3.0.0
openstack/blazar-dashboard
< 1.3.1
pypi/blazar-dashboard
0 - 1.3.1PyPI
Published
Oct 16, 2020
Tracked Since
Feb 18, 2026