358 matches found
RHSA-2026:39811 Red Hat Security Advisory: Red Hat OpenStack Services on OpenShift 18.0 (openstack-ironic) security update
Bulletin has no description...
CVE-2026-54423
In OpenStack Ironic before 37.0.1, an Ironic user with the ability to deploy nodes using the IPMI management interface can maliciously use the sendraw step to send arbitrary IPMI commands to a node, bypassing Ironic's access control...
DEBIAN-CVE-2026-54423
In OpenStack Ironic before 37.0.1, an Ironic user with the ability to deploy nodes using the IPMI management interface can maliciously use the sendraw step to send arbitrary IPMI commands to a node, bypassing Ironic's access control...
CVE-2026-44918
OpenStack Ironic through before 37.0.1 allows creation or modification of nodes cross-project without authorization...
DEBIAN-CVE-2026-44918
OpenStack Ironic through before 37.0.1 allows creation or modification of nodes cross-project without authorization...
EUVD-2026-42781
In OpenStack Ironic before 37.0.1, an Ironic user with the ability to deploy nodes using the IPMI management interface can maliciously use the sendraw step to send arbitrary IPMI commands to a node, bypassing Ironic's access control...
CVE-2026-54423
OpenStack Ironic (before 37.0.1) is vulnerable: a user capable of deploying nodes via IPMI can abuse the IPMI send_raw step to send arbitrary IPMI commands to a node, bypassing Ironic’s access control. Impact is high (CVE-2026-54423). The root cause is the exposure of IPMI send_raw in deployment ...
CVE-2026-54423
In OpenStack Ironic before 37.0.1, an Ironic user with the ability to deploy nodes using the IPMI management interface can maliciously use the sendraw step to send arbitrary IPMI commands to a node, bypassing Ironic's access control...
CVE-2026-54423
In OpenStack Ironic before 37.0.1, an Ironic user with the ability to deploy nodes using the IPMI management interface can maliciously use the sendraw step to send arbitrary IPMI commands to a node, bypassing Ironic's access control...
CVE-2026-54423
In OpenStack Ironic before 37.0.1, an Ironic user with the ability to deploy nodes using the IPMI management interface can maliciously use the sendraw step to send arbitrary IPMI commands to a node, bypassing Ironic's access control...
EUVD-2026-42777
OpenStack Ironic through before 37.0.1 allows creation or modification of nodes cross-project without authorization...
CVE-2026-44918
OpenStack Ironic (up to 37.0.1) allows an authenticated project manager to create/modify nodes across projects without authorization, potentially misconfiguring which project owns a node and exposing secrets stored in volume connectors/targets. Red Hat notes a specific flaw where a manager can re...
CVE-2026-44918
OpenStack Ironic through before 37.0.1 allows creation or modification of nodes cross-project without authorization...
CVE-2026-44918
OpenStack Ironic through before 37.0.1 allows creation or modification of nodes cross-project without authorization...
Missing Authorization
Overview ironic is an OpenStack Bare Metal Provisioning Affected versions of this package are vulnerable to Missing Authorization in the sendraw process. An attacker can gain unauthorized control over hardware or cause a system outage by sending arbitrary IPMI commands to the BMC. This is only...
PYSEC-2026-505 Injection vulnerability that affects ironic-discoverd
OpenStack Ironic Inspector aka ironic-inspector or ironic-discoverd, when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error...
CVE-2026-50589
A flaw was found in OpenStack Ironic. An unauthenticated malicious user could exploit this vulnerability by submitting a specially crafted JSON JavaScript Object Notation string to certain API Application Programming Interface or JSON-RPC Remote Procedure Call service endpoints. This could lead t...
CVE-2026-54421
A flaw was found in OpenStack Ironic. When an authorized user applies a PATCH operation to update volume properties, the system can inadvertently expose sensitive information, such as iSCSI credentials. This information disclosure vulnerability allows an attacker to gain access to credentials tha...
SUSE CVE-2026-54421
In OpenStack Ironic before 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information such as iSCSI credentials. The PATCH outcome is a security issue; the POST outcome is not a security issue...
CVE-2026-54421
In OpenStack Ironic before 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information such as iSCSI credentials. The PATCH outcome is a security issue; the POST outcome is not a security issue...