CVE-2023-30841 – github.com/metal3-io/baremetal-operator

Package

Manager: go
Name: github.com/metal3-io/baremetal-operator
Vulnerable Version: >=0 <0.3.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

EPSS: 0.00012 pctl0.01245

Details

Ironic and ironic-inspector may expose as ConfigMaps ### Impact Ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. ### Patches This issue is patched in [baremetal-operator PR#1241](https://github.com/metal3-io/baremetal-operator/pull/1241), and is included in BMO release 0.3.0 onwards. ### Workarounds User may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in [baremetal-operator PR#1241](https://github.com/metal3-io/baremetal-operator/pull/1241)

Metadata

Created: 2023-04-26T19:46:00Z
Modified: 2023-04-26T19:46:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-9wh7-397j-722m/GHSA-9wh7-397j-722m.json
CWE IDs: ["CWE-200", "CWE-319"]
Alternative ID: GHSA-9wh7-397j-722m
Finding: F017
Auto approve: 1