Unauthenticated access to Ironic API
CVE-2023-40585

7.3HIGH

Key Information:

Vendor: Metal3-io
Status: Ironic-image
Vendor: CVE Published:; 25 August 2023

What is CVE-2023-40585?

A vulnerability exists in the OpenStack Ironic API when it is not deployed with TLS and lacks separation of API and Conductor services. In such configurations, the API is not subject to authentication protections, leaving it open to access by anyone if the node is not secured by a firewall. This issue primarily arises in versions prior to capm3-v1.4.3. Although the default installation ensures secure access via TLS and basic authentication, improper configuration can expose the API, making it crucial for operators to adhere to best practices. Workarounds include enforcing TLS for the Ironic API or configuring separate services for API and Conductor, with the use of an httpd front-end to ensure proper authentication.

Affected Version(s)

ironic-image < capm3-v1.4.3

References

https://github.com/metal3-io/ironic-image/security/adviso...

x_refsource_CONFIRM

https://github.com/metal3-io/ironic-image/commit/f64bb6ce...

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 25, 2023
Vulnerability Reserved
Aug 16, 2023

CVE-2023-40585 Data

JSON

Metal3-io

What is CVE-2023-40585?

Affected Version(s)

References

CVSS V3.1

Timeline