Fluid Attacks Database

Description

OpenStack Ironic Exposure of Sensitive Information to an Unauthorized Actor The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and 5.x before 5.1.2 (Mitaka) allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafted POST request to the v1/drivers/$DRIVER_NAME/vendor_passthru resource.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	ironic	>=0 <4.2.5 \|\| >=5.0 <5.1.2	4.2.5, 5.1.2
debian 11	ironic	>=0 <1:5.1.2-1	1:5.1.2-1
debian 12	ironic	>=0 <1:5.1.2-1	1:5.1.2-1
debian 13	ironic	>=0 <1:5.1.2-1	1:5.1.2-1
debian 14	ironic	>=0 <1:5.1.2-1	1:5.1.2-1

Aliases

1. CVE-2016-49852. NVD-2016-49853. OSV-2016-49854. OSV-DEBIAN-2016-49855. GCVE-2016-49856. access.redhat.com7. access.redhat.com8. ACCESS-CVE-2016-49859. SECURITY-TRACKER-CVE-2016-4985

References

1. https://github.com/openstack/ironic/commit/426a306fb580762e97ada04e1253dedd9b64d4102. https://github.com/openstack/ironic/commit/affec224977174581d19a2b914772cb0409f633e3. https://github.com/openstack/ironic/commit/f5a3ff1dfcde068769f9a2a477ba6a9edaf69c774. https://bugs.launchpad.net/ironic/+bug/15727965. https://bugzilla.redhat.com/show_bug.cgi?id=13461936. https://review.openstack.org/3321957. https://review.openstack.org/3321968. https://review.openstack.org/3321979. http://www.openwall.com/lists/oss-security/2016/06/21/6