GHSA-9wh7-397j-722m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9wh7-397j-722m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-9wh7-397j-722m/GHSA-9wh7-397j-722m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9wh7-397j-722m
- Aliases
- Published
- 2023-04-26T19:46:00Z
- Modified
- 2023-11-08T04:12:27.263669Z
- Severity
-
- 6.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
- Summary
- Ironic and ironic-inspector may expose as ConfigMaps
- Details
-
Impact
Ironic and ironic-inspector deployed within Baremetal Operator using the included
deploy.shstore their.htpasswdfiles as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage.Patches
This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards.
Workarounds
User may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241
- Database specific
{ "severity": "MODERATE", "cwe_ids": [ "CWE-200", "CWE-319" ], "github_reviewed": true, "github_reviewed_at": "2023-04-26T19:46:00Z", "nvd_published_at": "2023-04-26T19:15:09Z" }- References
Affected packages
Go / github.com/metal3-io/baremetal-operator
Package
- Name
- github.com/metal3-io/baremetal-operator
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/metal3-io/baremetal-operator