CVE-2023-40585
CVSS 3.1 Score 7.5 of 10 (high)
Details
Summary
CVE-2023-40585 is a vulnerability affecting the Ironic container image used in Metal³ for deploying OpenStack Ironic. Prior to version capm3-v1.4.3, Ironic APIs were not protected by any authentication when deployed without TLS and with the API and Conductor services not split. This issue could allow unauthenticated access to the Ironic API, posing a security risk. Operators who have configured Ironic API without TLS are at risk, although TLS and authentication should not be coupled. Versions capm3-v1.4.3 and newer include a patch to address this issue. Operators can mitigate the risk by configuring TLS for Ironic API or splitting the API and Conductor services. In both cases, proper authentication configurations are in place with the httpd front-end.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.