EUVD-2023-1258

Malicious code in bioql PyPI...

Secret Exfiltration

github.com/metal3-io/baremetal-operator is vulnerable to Secret Exfiltration. The vulnerability is due to BMO's ability to read Secrets from any namespace, which allows an attacker to exfiltrate Secrets from other namespaces by linking them to a BareMetalHost configuration...

Improper Authorization

github.com/metal3-io/baremetal-operator is vulnerable to Improper Authorization. The .htpasswd files that Ironic and Ironic-inspector store as ConfigMaps rather than secrets when they are installed within Baremetal Operator using the deploy.sh file that is supplied. Anyone with access to the...

CVE-2023-30841

A flaw was found in the baremetal-operator, where the ironic and ironic-inspector deployed within the baremetal operator using the included deploy.sh store .htpasswd files as ConfigMaps instead of Secrets. This issue causes the plain-text username and hashed password to be readable by anyone havi...

Ironic and ironic-inspector may expose as ConfigMaps

Impact Ironic and ironic-inspector deployed within Baremetal Operator using the included deploy.sh store their .htpasswd files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management...

CVE-2023-30841

Baremetal Operator BMO is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included deploy.sh store their .htpasswd files as ConfigMaps instead of Secrets. This causes the plain-text usernam...

Default credentials

Baremetal Operator BMO is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included deploy.sh store their .htpasswd files as ConfigMaps instead of Secrets. This causes the plain-text usernam...

CVE-2023-30841 Ironic and ironic-inspector deployed within Baremetal Operator may expose as ConfigMaps

Baremetal Operator BMO is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included deploy.sh store their .htpasswd files as ConfigMaps instead of Secrets. This causes the plain-text usernam...

CVE-2023-30841

Baremetal Operator (BMO) pre-0.3.0 stores ironic and ironic-inspector .htpasswd credentials as ConfigMaps, exposing plain-text usernames and hashed passwords to anyone with cluster-wide read access or etcd access. The issue is fixed in BMO release 0.3.0 and via PR #1241. Affected component: Barem...

CVE-2023-30841 Ironic and ironic-inspector deployed within Baremetal Operator may expose as ConfigMaps

Baremetal Operator BMO is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included deploy.sh store their .htpasswd files as ConfigMaps instead of Secrets. This causes the plain-text usernam...

CVE-2023-30841 Ironic and ironic-inspector deployed within Baremetal Operator may expose as ConfigMaps

Baremetal Operator BMO is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included deploy.sh store their .htpasswd files as ConfigMaps instead of Secrets. This causes the plain-text usernam...

PT-2023-22996 · Unknown +1 · Baremetal Operator +2

Name of the Vulnerable Software and Affected Versions: Baremetal Operator versions prior to 0.3.0 Description: The issue arises from the storage of .htpasswd files as ConfigMaps instead of Secrets by ironic and ironic-inspector deployed within Baremetal Operator using the included deploy.sh. This...

Moderate: Red Hat Security Advisory: OpenShift Container Platform 4.7.4 security update

Red Hat OpenShift Container Platform release 4.7.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which...