Back to search
CVE-2016-4985
Published: Jul 12, 2016
Modified: Aug 6, 2024
PUBLISHED
Description
The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and 5.x before 5.1.2 (Mitaka) allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafted POST request to the v1/drivers/$DRIVER_NAME/vendor_passthru resource.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://review.openstack.org/332197
x_refsource_CONFIRM
https://bugs.launchpad.net/ironic/+bug/1572796
x_refsource_CONFIRM
[oss-security] 20160621 Ironic node information including credentials exposed to unathenticated users
mailing-list
x_refsource_MLIST
https://review.openstack.org/332195
x_refsource_CONFIRM
RHSA-2016:1378
vendor-advisory
x_refsource_REDHAT
RHSA-2016:1377
vendor-advisory
x_refsource_REDHAT
https://review.openstack.org/332196
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now