Metal3-Io Baremetal-Operator vulnerabilities

CVE-2025-29781 [MEDIUM] CWE-200 CVE-2025-29781: The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. B The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. Baremetal Operator enables users to load Secret from arbitrary namespaces upon deployment of the namespace scoped Custom Resource `BMCEventSubscription`. Prior to versions 0.8.1 and 0.9.1, an adversary Kubernetes account with only namespace level roles

CVE-2024-43803 [MEDIUM] CWE-200 CVE-2024-43803: The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. T The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The `BareMetalHost` (BMH) CRD allows the `userData`, `metaData`, and `networkData` for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both the `Name` and `Namespace` of the Secret, meaning that versions of the

CVE-2023-30841 [MEDIUM] CWE-200 CVE-2023-30841: Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to vers Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone h