Ironic
CVE-2015-7514
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
OpenStack Ironic 4.2.0 through 4.2.1 does not "clean" the disk after use, which allows remote authenticated users to obtain sensitive information.
AnalysisAI
OpenStack Ironic 4.2.0 through 4.2.1 does not "clean" the disk after use, which allows remote authenticated users to obtain sensitive information. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. OpenStack Ironic 4.2.0 through 4.2.1 does not "clean" the disk after use, which allows remote authenticated users to obtain sensitive information. Affected products include: Openstack Ironic. Version information: through 4.2.1.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence
Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limi
Denial of service in OpenStack Ironic versions 32 through 35.0.1 allows remote unauthenticated attackers to crash the ba
Command injection via ipmitool in OpenStack Ironic through 25.0.0 allows authenticated operators with high privileges to
Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated oper
Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to ex
File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Secu
Server-side template injection in OpenStack Ironic through version 35.x allows authenticated administrators to disclose
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today