Ironic and ironic-inspector deployed within Baremetal Operator using the included deploy.sh store their .htpasswd files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage.
This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards.
User may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241
| Score | Percentile |
|---|---|
| 0.02% | 3.50% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.0 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-9wh7-397j-722m ↗ |
| CVE | CVE-2023-30841 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/metal3-io/baremetal-operator | < 0.3.0 | 0.3.0 | — |