VDB
CVE-2016-4985
CVE-2016-4985
PUBLISHED
The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and 5.x before 5.1.2 (Mitaka) allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafted POST request to the v1/drivers/$DRIVER_NAME/vendor_passthru resource.
EPSS 0.79% · 74.2th percentile
Risk Scores
EPSS Score
0.79%
74.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | ironic | 0, 1:4.2.0-0ubuntu1, 1:5.1.0-0ubuntu1 |
Exploit Intelligence
- https://review.openstack.org/332197 (circl)
- https://bugs.launchpad.net/ironic/+bug/1572796 (circl)
- [oss-security] 20160621 Ironic node information including credentials exposed to unathenticated users (circl)
- https://review.openstack.org/332195 (circl)
- RHSA-2016:1378 (circl)
- RHSA-2016:1377 (circl)
- https://review.openstack.org/332196 (circl)
Timeline
- Jul 12, 2016 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- May 25, 2023 EPSS Score
- Jul 16, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2016-4985 third-party-advisory
- https://marc.info/?l=oss-security&m=146654947532322&w=2 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2016-4985 third-party-advisory