Aeva Black

**Name of the Vulnerable Software and Affected Versions** OpenStack Ironic versions prior to 4.2.5 (Liberty) OpenStack Ironic versions 5.x prior to 5.1.2 (Mitaka) **Description** The issue allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafted POST request to the "v1/drivers/$DRIVER NAME/vendor passthru" resource. **Recommendations** For OpenStack Ironic versions prior to 4.2.5 (Liberty), update to version 4.2.5 or later. For OpenStack Ironic versions 5.x prior to 5.1.2 (Mitaka), update to version 5.1.2 or later. As a temporary workaround, consider restricting access to the `v1/drivers/$DRIVER NAME/vendor passthru` resource until a patch is available.