github.com/metal3-io/baremetal-operator is vulnerable to Improper Authorization. The .htpasswd
files that Ironic and Ironic-inspector store as ConfigMaps
rather than secrets when they are installed within Baremetal Operator using the deploy.sh
file that is supplied. Anyone with access to the management cluster’s Etcd storage or cluster-wide read access can now read the plain-text login and hashed password.