PyPI package
ironic
pkg:pypi/ironic
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42510 | Med | 6.6 | <= 25.0.0 | — | Apr 28, 2026 | OpenStack Ironic before 35.0.1 allows ipmitool execution in a non-default configuration that has a console interface. | |
| CVE-2025-44021 | Low | 2.8 | < 24.1.3 | 24.1.3 | May 8, 2025 | OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). A malicious project assigned as a node owner can provide a path to any local file (readable by ironic-conductor), which may then be w | |
| CVE-2024-47211 | Med | 5.3 | >= 25.0.0, < 26.1.1 | 26.1.1 | Oct 4, 2024 | In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x and 24.x before 24.1.3, and 25.x and 26.x before 26.1.0, there is a lack of checksum validation of supplied image_source URLs when configured to convert images to a raw format for streaming. | |
| CVE-2016-4985 | Hig | 7.5 | < 4.2.5 | 4.2.5 | Jul 12, 2016 | The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and 5.x before 5.1.2 (Mitaka) allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafte |
- affected <= 25.0.0
OpenStack Ironic before 35.0.1 allows ipmitool execution in a non-default configuration that has a console interface.
- affected < 24.1.3fixed 24.1.3
OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). A malicious project assigned as a node owner can provide a path to any local file (readable by ironic-conductor), which may then be w
- affected >= 25.0.0, < 26.1.1fixed 26.1.1
In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x and 24.x before 24.1.3, and 25.x and 26.x before 26.1.0, there is a lack of checksum validation of supplied image_source URLs when configured to convert images to a raw format for streaming.
- affected < 4.2.5fixed 4.2.5
The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and 5.x before 5.1.2 (Mitaka) allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafte