CVE-2023-40585

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Aug 25, 2023
Updated: Sep 1, 2023
CWE ID 306

Summary

CVE-2023-40585 is a vulnerability affecting the Ironic container image used in Metal³ for deploying OpenStack Ironic. Prior to version capm3-v1.4.3, Ironic APIs were not protected by any authentication when deployed without TLS and with the API and Conductor services not split. This issue could allow unauthenticated access to the Ironic API, posing a security risk. Operators who have configured Ironic API without TLS are at risk, although TLS and authentication should not be coupled. Versions capm3-v1.4.3 and newer include a patch to address this issue. Operators can mitigate the risk by configuring TLS for Ironic API or splitting the API and Conductor services. In both cases, proper authentication configurations are in place with the httpd front-end.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share