VYPR

Ironic

by OpenStack

pypi: ironic

Source repositories

CVEs (11)

  • CVE-2026-54421MedJun 14, 2026
    risk 0.44cvss 6.8epss 0.00

    In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security…

  • CVE-2015-7514MedJun 7, 2017
    risk 0.42cvss 6.5epss 0.02

    OpenStack Ironic 4.2.0 through 4.2.1 does not "clean" the disk after use, which allows remote authenticated users to obtain sensitive information.

  • CVE-2026-48681MedJun 4, 2026
    risk 0.38cvss 5.9epss 0.01

    OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image.

  • CVE-2026-50589MedJun 5, 2026
    risk 0.34cvss 5.3epss 0.00

    In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash.

  • CVE-2026-46447MedJun 3, 2026
    risk 0.31cvss 5.8epss 0.00

    OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info.

  • CVE-2024-47211MedOct 4, 2024
    risk 0.28cvss 5.3epss 0.01

    In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x and 24.x before 24.1.3, and 25.x and 26.x before 26.1.0, there is a lack of checksum validation of supplied image_source URLs when configured to convert images to a raw format for streaming.

  • CVE-2024-44082MedSep 6, 2024
    risk 0.28cvss 4.3epss 0.01

    In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13.1, there is a vulnerability in image processing, in which a crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, including possible unauthorized access to…

  • CVE-2026-44917MedJun 4, 2026
    risk 0.25cvss 4.9epss 0.00

    OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template.

  • CVE-2026-44919MedMay 14, 2026
    risk 0.21cvss 4.3epss 0.00

    In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.

  • CVE-2026-44916LowMay 8, 2026
    risk 0.20cvss 3.0epss 0.00

    In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.

  • CVE-2025-44021LowMay 8, 2025
    risk 0.11cvss 2.8epss 0.00

    OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). A malicious project assigned as a node owner can provide a path to any local file (readable by ironic-conductor), which may then be…