High severity7.5NVD Advisory· Published Jul 12, 2016· Updated Jun 17, 2026
CVE-2016-4985
CVE-2016-4985
Description
The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and 5.x before 5.1.2 (Mitaka) allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafted POST request to the v1/drivers/$DRIVER_NAME/vendor_passthru resource.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ironicPyPI | < 4.2.5 | 4.2.5 |
ironicPyPI | >= 5.0, < 5.1.2 | 5.1.2 |
Affected products
18cpe:2.3:a:canonical:openstack_ironic:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:canonical:openstack_ironic:*:*:*:*:*:*:*:*range: <=4.2.4
- cpe:2.3:a:canonical:openstack_ironic:5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:openstack_ironic:5.1.1:*:*:*:*:*:*:*
- ghsa-coords13 versionspkg:pypi/ironicpkg:rpm/suse/openstack-designate&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-designate-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-ironic-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-neutron-vpnaas&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-neutron-vpnaas-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-nova-docker&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-sahara&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-sahara-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-tempest&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-trove&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-trove-doc&distro=SUSE%20OpenStack%20Cloud%206
< 4.2.5+ 12 more
- (no CPE)range: < 4.2.5
- (no CPE)range: < 1.0.3~a0~dev10-6.1
- (no CPE)range: < 1.0.3~a0~dev10-6.2
- (no CPE)range: < 4.2.5-6.1
- (no CPE)range: < 4.2.5-6.2
- (no CPE)range: < 7.0.5~a0~dev3-6.1
- (no CPE)range: < 7.0.5~a0~dev3-6.1
- (no CPE)range: < 0.0.1~a0~dev238-4.1
- (no CPE)range: < 3.0.3~a0~dev1-6.1
- (no CPE)range: < 3.0.3~a0~dev1-6.1
- (no CPE)range: < 7.0.0-9.1
- (no CPE)range: < 4.0.1~a0~dev19-8.1
- (no CPE)range: < 4.0.1~a0~dev19-8.1
Patches
Vulnerability mechanics
References
14- bugs.launchpad.net/ironic/+bug/1572796nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-f7cr-7c2c-fm8rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-4985ghsaADVISORY
- www.openwall.com/lists/oss-security/2016/06/21/6nvdWEB
- access.redhat.com/errata/RHSA-2016:1377nvdWEB
- access.redhat.com/errata/RHSA-2016:1378nvdWEB
- access.redhat.com/security/cve/CVE-2016-4985ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/openstack/ironic/commit/426a306fb580762e97ada04e1253dedd9b64d410ghsaWEB
- github.com/openstack/ironic/commit/affec224977174581d19a2b914772cb0409f633eghsaWEB
- github.com/openstack/ironic/commit/f5a3ff1dfcde068769f9a2a477ba6a9edaf69c77ghsaWEB
- review.openstack.org/332195nvdWEB
- review.openstack.org/332196nvdWEB
- review.openstack.org/332197nvdWEB
News mentions
0No linked articles in our index yet.