CVE-2023-30841 — Sensitive Information Exposure in Baremetal-operator

CWE-200 — Sensitive Information Exposure CWE-319 — Cleartext Transmission of Sensitive Info4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 96.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Metal3-io Baremetal-operator Github.com Metal3-io Baremetal-operator Linuxfoundation Baremetal Operator

Timeline

PublishedApr 26

Latest updateApr 27

Description

Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-op…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5metal3-io/baremetal-operator< 0.3.0

▶NVDlinuxfoundation/baremetal_operator< 0.3.0

▶Gogithub.com/metal3-io_baremetal-operator< 0.3.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Ironic and ironic-inspector may expose as ConfigMaps↗2023-04-26

▶

OSV

Ironic and ironic-inspector may expose as ConfigMaps↗2023-04-26

▶

📋Vendor Advisories

Red Hat

baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access↗2023-04-27

▶