GHSA-jrh2-f5jc-xpgr
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Ironic API is network-reachable and requires a low-privilege tenant account (AV:N/AC:L/PR:L); injected boot script crosses to the provisioned node (S:C) tampering integrity only, with no data disclosure or DoS.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
9Description PRE-NVD
AnalysisAI
Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence boot scripts processed by the bare-metal provisioning service, with integrity impact extending across a CVSS scope change to the provisioned hardware. Confirmed by upstream advisory OSSA-2026-017 and an Ubuntu USN, with no public exploit identified at time of analysis and an EPSS of 0.03% indicating no observed exploitation activity.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an account with at least low-privilege access to the Ironic API (CVSS PR:L) and network reachability to that API, which in typical OpenStack deployments is the management/provisioning network rather than the public internet. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but converge on a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user with low-privilege access to the Ironic API (or a compromised tenant in a multi-tenant bare-metal cloud) submits crafted node attributes or deploy parameters that are incorporated into the boot script Ironic generates. When the target bare-metal node next boots via Ironic's provisioning workflow, the injected directives execute in the boot environment, altering the integrity of the provisioned host. … |
| Remediation | Patch available per vendor advisory: apply the Ironic update referenced in OSSA-2026-017 (https://security.openstack.org/ossa/OSSA-2026-017.html) and, on Ubuntu, install the packages from USN-8421-1 (https://ubuntu.com/security/notices/USN-8421-1); exact fix versions are not enumerated in the supplied intelligence, so consult the OSSA stable-branch backport list before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all OpenStack Ironic deployments in production; document installed versions and scope of managed bare-metal assets (count of provisioned systems per cluster). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limi
Denial of service in OpenStack Ironic versions 32 through 35.0.1 allows remote unauthenticated attackers to crash the ba
Command injection via ipmitool in OpenStack Ironic through 25.0.0 allows authenticated operators with high privileges to
Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated oper
Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to ex
File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Secu
Server-side template injection in OpenStack Ironic through version 35.x allows authenticated administrators to disclose
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34181