{
  "threat_severity" : "Moderate",
  "public_date" : "2016-06-21T00:00:00Z",
  "bugzilla" : {
    "description" : "openstack-ironic: Ironic Node information including credentials exposed to unauthenticated users",
    "id" : "1346193",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1346193"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:N/A:N",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-290",
  "details" : [ "The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and 5.x before 5.1.2 (Mitaka) allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafted POST request to the v1/drivers/$DRIVER_NAME/vendor_passthru resource.", "An authentication vulnerability was found in openstack-ironic. A client with network access to the ironic-api service could bypass OpenStack Identity authentication, and retrieve all information about any node registered with OpenStack Bare Metal. If an unprivileged attacker knew (or was able to guess) the MAC address of a network card belonging to a node, the flaw could be exploited by sending a crafted POST request to the node's /v1/drivers/$DRIVER_NAME/vendor_passthru resource.  The response included the node's full details, including management passwords, even if the /etc/ironic/policy.json file was configured to hide passwords in API responses." ],
  "acknowledgement" : "Red Hat would like to thank the OpenStack Ironic project for reporting this issue. Upstream acknowledges Devananda van der Veen (IBM) as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
    "release_date" : "2016-07-04T00:00:00Z",
    "advisory" : "RHSA-2016:1377",
    "cpe" : "cpe:/a:redhat:openstack:7::el7",
    "package" : "openstack-ironic-0:2015.1.2-4.el7ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 8.0 (Liberty)",
    "release_date" : "2016-07-04T00:00:00Z",
    "advisory" : "RHSA-2016:1378",
    "cpe" : "cpe:/a:redhat:openstack:8::el7",
    "package" : "openstack-ironic-1:4.2.5-1.el7ost"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)",
    "fix_state" : "Will not fix",
    "package_name" : "openstack-ironic",
    "cpe" : "cpe:/a:redhat:openstack:6"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Not affected",
    "package_name" : "openstack-ironic",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)",
    "fix_state" : "Not affected",
    "package_name" : "openstack-ironic",
    "cpe" : "cpe:/a:redhat:openstack:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-4985\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-4985" ],
  "name" : "CVE-2016-4985",
  "csaw" : false
}