{ "threat_severity" : "Moderate", "public_date" : "2023-04-27T00:00:00Z", "bugzilla" : { "description" : "baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access", "id" : "2190116", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2190116" }, "cvss3" : { "cvss3_base_score" : "6.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "status" : "verified" }, "details" : [ "Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241.", "A flaw was found in the baremetal-operator, where the ironic and ironic-inspector deployed within the baremetal operator using the included deploy.sh store `.htpasswd` files as ConfigMaps instead of Secrets. This issue causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster or access to the management cluster's etcd storage." ], "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 4.12", "release_date" : "2024-06-11T00:00:00Z", "advisory" : "RHSA-2024:3801", "cpe" : "cpe:/a:redhat:openshift:4.12::el8", "package" : "openshift4/topology-aware-lifecycle-manager-operator-bundle:v4.12.8-17" }, { "product_name" : "Red Hat OpenShift Container Platform 4.12", "release_date" : "2024-06-11T00:00:00Z", "advisory" : "RHSA-2024:3801", "cpe" : "cpe:/a:redhat:openshift:4.12::el8", "package" : "openshift4/topology-aware-lifecycle-manager-precache-rhel8:v4.12.8-4" }, { "product_name" : "Red Hat OpenShift Container Platform 4.12", "release_date" : "2024-06-11T00:00:00Z", "advisory" : "RHSA-2024:3801", "cpe" : "cpe:/a:redhat:openshift:4.12::el8", "package" : "openshift4/topology-aware-lifecycle-manager-recovery-rhel8:v4.12.8-4" }, { "product_name" : "Red Hat OpenShift Container Platform 4.12", "release_date" : "2024-06-11T00:00:00Z", "advisory" : "RHSA-2024:3801", "cpe" : "cpe:/a:redhat:openshift:4.12::el8", "package" : "openshift4/topology-aware-lifecycle-manager-rhel8-operator:v4.12.8-4" }, { "product_name" : "Red Hat OpenShift Container Platform 4.12", "release_date" : "2024-06-11T00:00:00Z", "advisory" : "RHSA-2024:3801", "cpe" : "cpe:/a:redhat:openshift:4.12::el8", "package" : "openshift4/ztp-site-generate-rhel8:v4.12.6-18" }, { "product_name" : "Red Hat OpenShift Container Platform 4.13", "release_date" : "2023-05-17T00:00:00Z", "advisory" : "RHSA-2023:1326", "cpe" : "cpe:/a:redhat:openshift:4.13::el8", "package" : "openshift4/ose-baremetal-rhel8-operator:v4.13.0-202305021616.p0.ge037aa0.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.14", "release_date" : "2023-10-26T00:00:00Z", "advisory" : "RHSA-2023:6143", "cpe" : "cpe:/a:redhat:openshift:4.14::el8", "package" : "openshift4/topology-aware-lifecycle-manager-rhel8-operator:v4.14.0-68" } ], "package_state" : [ { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-agent-installer-api-server-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-baremetal-machine-controllers", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-cluster-baremetal-operator-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-image-customization-controller-rhel8", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-installer-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform Assisted Installer 1", "fix_state" : "Not affected", "package_name" : "rhai-tech-preview/assisted-installer-agent-rhel8", "cpe" : "cpe:/a:redhat:assisted_installer:1" }, { "product_name" : "Red Hat OpenShift Container Platform Assisted Installer 1", "fix_state" : "Not affected", "package_name" : "rhai-tech-preview/assisted-installer-rhel8", "cpe" : "cpe:/a:redhat:assisted_installer:1" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Will not fix", "package_name" : "odf4/odf-multicluster-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Will not fix", "package_name" : "odf4/odr-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-30841\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-30841\nhttps://github.com/metal3-io/baremetal-operator/pull/1241\nhttps://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m" ], "name" : "CVE-2023-30841", "csaw" : false }