Fluid Attacks Database

Description

In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13.1, there is a vulnerability in image processing, in which a crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, including possible unauthorized access to potentially sensitive data. The affected/fixed version details are: Ironic: <21.4.3, >=22.0.0 <23.0.2, >=23.1.0 <24.1.2, >=25.0.0 <26.0.1; Ironic-python-agent: <9.4.2, >=9.5.0 <9.7.1, >=9.8.0 <9.11.1, >=9.12.0 <9.13.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	ironic	>=0 <1:26.1.0-1	1:26.1.0-1
debian 11	ironic	=1:16.0.3-1 \|\| =1:16.2.0-1 \|\| =1:17.0.0-1 \|\| =1:17.0.1-1 \|\| =1:17.0.3-1 \|\| =1:17.0.3-2 \|\| =1:18.1.0-1 \|\| =1:18.2.0-1 \|\| =1:18.2.0-2 \|\| =1:18.2.0-3 \|\| =1:20.0.0-1 \|\| =1:20.1.0-1 \|\| =1:20.1.0-2 \|\| =1:21.0.0-1 \|\| =1:21.0.0-2 \|\| =1:21.0.0-3 \|\| =1:21.1.0-1 \|\| =1:21.1.0-2 \|\| =1:21.1.0-3 \|\| =1:21.3.0-1 \|\| =1:21.4.0-1 \|\| =1:21.4.0-2 \|\| =1:21.4.0-3 \|\| =1:21.4.0-4 \|\| =1:22.1.0-1 \|\| =1:23.0.0-1 \|\| =1:23.0.0-2 \|\| =1:23.0.0-3 \|\| =1:23.0.0-4 \|\| =1:24.0.0-1 \|\| =1:24.1.0-1 \|\| =1:24.1.1-1 \|\| =1:24.1.1-2 \|\| =1:24.1.1-3 \|\| =1:26.0.0-1 \|\| =1:26.0.0-2 \|\| =1:26.1.0-1 \|\| =1:26.1.0-2 \|\| =1:26.1.0-3 \|\| =1:26.1.1-1 \|\| =1:26.1.1-2 \|\| =1:26.1.1-3 \|\| =1:26.1.1-4 \|\| =1:29.0.0-1 \|\| =1:29.0.0-2 \|\| =1:29.0.0-3 \|\| =1:29.0.0-4 \|\| =1:29.0.0-5 \|\| =1:29.0.0-6 \|\| =1:29.0.0-7 \|\| =1:32.0.0-1 \|\| =1:32.0.0-2 \|\| =1:32.0.0-4 \|\| =1:32.0.0-5 \|\| =1:32.0.0-6 \|\| =1:32.0.0-7 \|\| =1:34.0.0-1 \|\| =1:35.0.0-1 \|\| =1:35.0.0-2	-
debian 12	ironic	=1:21.1.0-3 \|\| =1:21.3.0-1 \|\| =1:21.4.0-1 \|\| =1:21.4.0-2 \|\| =1:21.4.0-3 \|\| =1:21.4.0-4 \|\| =1:22.1.0-1 \|\| =1:23.0.0-1 \|\| =1:23.0.0-2 \|\| =1:23.0.0-3 \|\| =1:23.0.0-4 \|\| =1:24.0.0-1 \|\| =1:24.1.0-1 \|\| =1:24.1.1-1 \|\| =1:24.1.1-2 \|\| =1:24.1.1-3 \|\| =1:26.0.0-1 \|\| =1:26.0.0-2 \|\| =1:26.1.0-1 \|\| =1:26.1.0-2 \|\| =1:26.1.0-3 \|\| =1:26.1.1-1 \|\| =1:26.1.1-2 \|\| =1:26.1.1-3 \|\| =1:26.1.1-4 \|\| =1:29.0.0-1 \|\| =1:29.0.0-2 \|\| =1:29.0.0-3 \|\| =1:29.0.0-4 \|\| =1:29.0.0-5 \|\| =1:29.0.0-6 \|\| =1:29.0.0-7 \|\| =1:32.0.0-1 \|\| =1:32.0.0-2 \|\| =1:32.0.0-4 \|\| =1:32.0.0-5 \|\| =1:32.0.0-6 \|\| =1:32.0.0-7 \|\| =1:34.0.0-1 \|\| =1:35.0.0-1 \|\| =1:35.0.0-2	-
debian 13	ironic-python-agent	>=0 <9.14.0-1	9.14.0-1
debian 14	ironic	>=0 <1:26.1.0-1	1:26.1.0-1
debian 14	ironic-python-agent	>=0 <9.14.0-1	9.14.0-1

Aliases

1. CVE-2024-440822. NVD-2024-440823. OSV-DEBIAN-2024-440824. OSV-2024-440825. SECURITY-TRACKER-CVE-2024-44082

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.