VYPR
Vendor

Metal3 Io

Products
4
CVEs
6
Across products
7
Status
Private

Products

4

Recent CVEs

6
  • CVE-2025-29781MedMar 17, 2025
    risk 0.35cvss 6.5epss 0.00

    The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. Baremetal Operator enables users to load Secret from arbitrary namespaces upon deployment of the namespace scoped Custom Resource `BMCEventSubscription`. Prior to versions 0.8.1…

  • CVE-2023-30841MedApr 26, 2023
    risk 0.32cvss 6.0epss 0.00

    Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This…

  • CVE-2024-43803MedSep 3, 2024
    risk 0.25cvss 4.9epss 0.01

    The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The `BareMetalHost` (BMH) CRD allows the `userData`, `metaData`, and `networkData` for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for…

  • CVE-2024-31463MedApr 17, 2024
    risk 0.24cvss 4.7epss 0.00

    Ironic-image is an OpenStack Ironic deployment packaged and configured by Metal3. When the reverse proxy mode is enabled by the `IRONIC_REVERSE_PROXY_SETUP` variable set to `true`, 1) HTTP basic credentials are validated on the HTTPD side in a separate container, not in the…

  • CVE-2026-47190MedJun 12, 2026
    risk 0.22cvss 4.4epss 0.00

    IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses…

  • CVE-2023-40585HigAug 25, 2023
    risk 0.00cvss 7.3epss 0.00

    ironic-image is a container image to run OpenStack Ironic as part of Metal³. Prior to version capm3-v1.4.3, if Ironic is not deployed with TLS and it does not have API and Conductor split into separate services, access to the API is not protected by any authentication. Ironic…