Tuomo Tanskanen

**Name of the Vulnerable Software and Affected Versions** OpenStack Ironic versions prior to 35.0.2 **Description** An authenticated project admin or manager can read local files on the Ironic conductor by exploiting the `pxe template` variable. **Recommendations** Update to version 35.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenStack Ironic versions 32 through 35.0.1 **Description** An unauthenticated malicious user can cause a service crash by submitting a crafted JSON string to certain endpoints on the API or JSON-RPC service. **Recommendations** Update OpenStack Ironic to a version later than 35.0.1.

**Name of the Vulnerable Software and Affected Versions** OpenStack Ironic versions prior to 35.0.2 **Description** An issue exists where a crafted ISO image can lead to file overwrite via directory traversal during the deployment process. Directory traversal is a technique that allows an attacker to access and manipulate files or directories outside the intended folder by using special character sequences. **Recommendations** Update to version 35.0.2.

**Name of the Vulnerable Software and Affected Versions** OpenStack Ironic versions prior to 35.0.2 **Description** An issue allows Boot Script Injection of an iPXE script, which is a network boot firmware used to boot computers from a network. This occurs if an attacker is able to set the `node.driver info` or `node.instance info` variables. **Recommendations** Update to version 35.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenStack Ironic versions prior to 36.0 **Description** In OpenStack Ironic, the `ks template` variable within `instance info` is rendered without sandboxing. Sandboxing is a security mechanism that isolates executing code to prevent it from accessing or modifying unauthorized parts of the system. **Recommendations** Update to a version later than 35.x. As a temporary workaround, restrict access to the `ks template` variable within `instance info` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenStack Ironic versions prior to 26.1.6 OpenStack Ironic versions prior to 29.0.5 OpenStack Ironic versions prior to 32.0.1 OpenStack Ironic versions prior to 35.0.1 **Description** An issue in idrac allows a user invoking molds during import to request that authorization be sent to a remote endpoint. This can result in the forwarding of basic credentials configured for molds storage or a time-limited Keystone token, which grants access to all OpenStack services that Ironic is authorized to use. **Recommendations** Update to version 26.1.6. Update to version 29.0.5. Update to version 32.0.1. Update to version 35.0.1.

**Name of the Vulnerable Software and Affected Versions** OpenStack Ironic versions prior to 35.0.1 **Description** In a non-default configuration that includes a console interface, the software allows the execution of ipmitool, a utility used to manage and configure Intelligent Platform Management Interface (IPMI) devices. **Recommendations** Update to version 35.0.1.