openstack ironic の CVE(13 件)

CVE 件数: 13 CPE versions: View versions table

概要

本ページは openstack ironic に影響する公開済み CVE(NVD の CPE 経由で関連付け)を列挙します。各行に深刻度指標・概要・公開日が含まれます。

表示中 113 / 13 CVE 件数
«« 先頭 « 前へ 1 / 1 次へ »
CVE 概要 ソース CVSS 最大値 EPSS(%) 公開 更新
CVE-2026-54423 In OpenStack Ironic before 37.0.1, an Ironic user with the ability to deploy nodes using the IPMI management interface can maliciously use the send_raw step to send arbitrary IPMI commands to a node, bypassing Ironic's access control. [email protected] 8.2 0.52% 2026-07-10 2026-07-10
CVE-2026-44918 OpenStack Ironic through before 37.0.1 allows creation or modification of nodes cross-project without authorization. [email protected] 5.5 0.43% 2026-07-10 2026-07-10
CVE-2026-54421 In OpenStack Ironic before 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue. [email protected] 6.8 0.27% 2026-06-14 2026-06-17
CVE-2026-50589 In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash. [email protected] 5.3 0.35% 2026-06-04 2026-07-14
CVE-2026-48681 OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image. [email protected] 5.9 0.62% 2026-06-04 2026-06-17
CVE-2026-44917 OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template. [email protected] 4.9 0.29% 2026-06-04 2026-06-17
CVE-2026-46447 OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info. [email protected] 5.8 0.26% 2026-06-03 2026-06-17
CVE-2026-44919 In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL. [email protected] 4.3 0.47% 2026-05-13 2026-06-17
CVE-2026-44916 In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing. [email protected] 3.0 0.33% 2026-05-08 2026-06-18
CVE-2026-42997 An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1. [email protected] 7.7 0.37% 2026-05-05 2026-07-15
CVE-2026-42510 OpenStack Ironic before 35.0.1 allows ipmitool execution in a non-default configuration that has a console interface. [email protected] 6.6 0.57% 2026-04-28 2026-06-17
CVE-2025-44021 OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). A malicious project assigned as a node owner can provide a path to any local file (readable by ironic-conductor), which may then be written to the target node disk. This is difficult to exploit in practice, because a node deployed in this manner should never reach the ACTIVE state, but it still represents a danger in environments running with non-defa [email protected] 2.8 0.15% 2025-05-08 2026-06-17
CVE-2015-7514 OpenStack Ironic 4.2.0 through 4.2.1 does not "clean" the disk after use, which allows remote authenticated users to obtain sensitive information. [email protected] 6.5 1.58% 2017-06-07 2026-06-16
«« 先頭 « 前へ 1 / 1 次へ »
cvelogic Threat Intelligence