virtualbmc is vulnerable to information disclosure. The vulnerability exists due to the set_boot_device
function in vbmc.py
which does not properly secure information on xml changes when setting parameters revolving around boot mode, options and firmware, allowing an attacker to gain sensitive information
github.com/advisories/GHSA-5pj3-6fqm-8m7m
github.com/openstack/virtualbmc/commit/348e96511477fd8d89a0296da75015ca3182c836
lists.fedoraproject.org/archives/list/[email protected]/message/GAD7QJIUWPCKJIGYP7PPHH5DILOEONFE/
lists.fedoraproject.org/archives/list/[email protected]/message/KEQVJF3OQGSDCSQTQQSC54JEGLMSNB4Q/
lists.fedoraproject.org/archives/list/[email protected]/message/QMSUGS4B6EBRHBJMTRXL5RIKJTZTEMJC/
review.opendev.org/c/openstack/sushy-tools/+/862625
review.opendev.org/c/openstack/virtualbmc/+/862620
storyboard.openstack.org/#!/story/2010382