Openstack

Ironic

13 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.29%
  • Veröffentlicht 14.06.2026 03:49:37
  • Zuletzt bearbeitet 16.06.2026 15:51:29

In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POS...

  • EPSS 0.43%
  • Veröffentlicht 04.06.2026 23:59:20
  • Zuletzt bearbeitet 08.07.2026 13:16:53

In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash.

  • EPSS 0.28%
  • Veröffentlicht 04.06.2026 00:00:00
  • Zuletzt bearbeitet 04.06.2026 18:40:49

OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template.

  • EPSS 0.6%
  • Veröffentlicht 04.06.2026 00:00:00
  • Zuletzt bearbeitet 04.06.2026 18:40:34

OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image.

  • EPSS 0.26%
  • Veröffentlicht 03.06.2026 00:00:00
  • Zuletzt bearbeitet 15.06.2026 23:16:45

OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info.

  • EPSS 0.47%
  • Veröffentlicht 14.05.2026 00:00:00
  • Zuletzt bearbeitet 20.05.2026 17:16:23

In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.

  • EPSS 0.34%
  • Veröffentlicht 08.05.2026 06:38:37
  • Zuletzt bearbeitet 20.05.2026 16:16:25

In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.

  • EPSS 0.44%
  • Veröffentlicht 05.05.2026 00:00:00
  • Zuletzt bearbeitet 08.07.2026 13:16:44

An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to al...

  • EPSS 0.57%
  • Veröffentlicht 28.04.2026 04:53:10
  • Zuletzt bearbeitet 20.05.2026 17:16:22

OpenStack Ironic before 35.0.1 allows ipmitool execution in a non-default configuration that has a console interface.

  • EPSS 0.16%
  • Veröffentlicht 08.05.2025 00:00:00
  • Zuletzt bearbeitet 15.04.2026 00:35:42

OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). A malicious project assigned as a node owner can provide a path to any local file (readable by ironic-c...