CVE-2023-30841

Name of the Vulnerable Software and Affected Versions Baremetal Operator versions prior to 0.3.0

Description The issue arises from the storage of .htpasswd files as ConfigMaps instead of Secrets by ironic and ironic-inspector deployed within Baremetal Operator using the included deploy.sh. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage.

Recommendations For versions prior to 0.3.0, update to version 0.3.0 or later to resolve the issue. As a temporary workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241.