GHSA-hfc8-w5f4-3x6m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hfc8-w5f4-3x6m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hfc8-w5f4-3x6m/GHSA-hfc8-w5f4-3x6m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hfc8-w5f4-3x6m
- Published
- 2026-05-29T18:23:34Z
- Modified
- 2026-05-29T18:30:08.111728800Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Ironic Standalone Operator's controller modifies user-owned resources without consent
- Details
-
Impact
The Ironic Standalone Operator (IRSO) is the operator to maintain an Ironic deployment for Metal3. IRSO controller automatically adds its environment label to user-provided Secrets and ConfigMaps without the resource owner's consent. A high-privilege controller modifying user-owned resources constitutes an unauthorized integrity violation. Deployments running IrSO v0.7.0 through v0.8.1 that reference user-provided Secrets or ConfigMaps (TLS certificates, BMC CA, trusted CA) are affected.
Patches
Fixed in v0.9.0, v0.8.2, v0.7.3.
Workarounds
Manually add the environment label (ironic-standalone-operator.metal3.io/environment) to all user-provided Secrets and ConfigMaps before they are referenced in the Ironic resource. This prevents the controller from modifying them.
Resources
- https://github.com/metal3-io/ironic-standalone-operator/pull/619
- https://github.com/metal3-io/ironic-standalone-operator/pull/664
- https://github.com/metal3-io/ironic-standalone-operator/pull/665
- Database specific
{ "cwe_ids": [ "CWE-862" ], "severity": "MODERATE", "github_reviewed_at": "2026-05-29T18:23:34Z", "github_reviewed": true, "nvd_published_at": null }- References
-
- https://github.com/metal3-io/ironic-standalone-operator/security/advisories/GHSA-hfc8-w5f4-3x6m
- https://github.com/metal3-io/ironic-standalone-operator/pull/619
- https://github.com/metal3-io/ironic-standalone-operator/pull/664
- https://github.com/metal3-io/ironic-standalone-operator/pull/665
- https://github.com/metal3-io/ironic-standalone-operator
Affected packages
Go / github.com/metal3-io/ironic-standalone-operator
Package
- Name
- github.com/metal3-io/ironic-standalone-operator
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/metal3-io/ironic-standalone-operator
Go / github.com/metal3-io/ironic-standalone-operator
Package
- Name
- github.com/metal3-io/ironic-standalone-operator
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/metal3-io/ironic-standalone-operator