{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-30841", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-04-18T16:13:15.880Z", "datePublished": "2023-04-26T18:24:04.479Z", "dateUpdated": "2024-08-02T14:37:15.430Z"}, "containers": {"cna": {"title": "Ironic and ironic-inspector deployed within Baremetal Operator may expose as ConfigMaps", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m"}, {"name": "https://github.com/metal3-io/baremetal-operator/pull/1241", "tags": ["x_refsource_MISC"], "url": "https://github.com/metal3-io/baremetal-operator/pull/1241"}], "affected": [{"vendor": "metal3-io", "product": "baremetal-operator", "versions": [{"version": "< 0.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-04-26T18:24:04.479Z"}, "descriptions": [{"lang": "en", "value": "Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241."}], "source": {"advisory": "GHSA-9wh7-397j-722m", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:37:15.430Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m"}, {"name": "https://github.com/metal3-io/baremetal-operator/pull/1241", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/metal3-io/baremetal-operator/pull/1241"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:baremetal_operator:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA9EF57A-FEA8-4F8F-8E1D-9F28B2DBC19F", "versionEndExcluding": "0.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241."}], "id": "CVE-2023-30841", "lastModified": "2023-05-09T15:20:02.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-04-26T19:15:09.140", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Patch"], "url": "https://github.com/metal3-io/baremetal-operator/pull/1241"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3801", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "package": "openshift4/topology-aware-lifecycle-manager-operator-bundle:v4.12.8-17", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2024-06-11T00:00:00Z"}, {"advisory": "RHSA-2024:3801", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "package": "openshift4/topology-aware-lifecycle-manager-precache-rhel8:v4.12.8-4", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2024-06-11T00:00:00Z"}, {"advisory": "RHSA-2024:3801", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "package": "openshift4/topology-aware-lifecycle-manager-recovery-rhel8:v4.12.8-4", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2024-06-11T00:00:00Z"}, {"advisory": "RHSA-2024:3801", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "package": "openshift4/topology-aware-lifecycle-manager-rhel8-operator:v4.12.8-4", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2024-06-11T00:00:00Z"}, {"advisory": "RHSA-2024:3801", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "package": "openshift4/ztp-site-generate-rhel8:v4.12.6-18", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2024-06-11T00:00:00Z"}, {"advisory": "RHSA-2023:1326", "cpe": "cpe:/a:redhat:openshift:4.13::el8", "package": "openshift4/ose-baremetal-rhel8-operator:v4.13.0-202305021616.p0.ge037aa0.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.13", "release_date": "2023-05-17T00:00:00Z"}, {"advisory": "RHSA-2023:6143", "cpe": "cpe:/a:redhat:openshift:4.14::el8", "package": "openshift4/topology-aware-lifecycle-manager-rhel8-operator:v4.14.0-68", "product_name": "Red Hat OpenShift Container Platform 4.14", "release_date": "2023-10-26T00:00:00Z"}], "bugzilla": {"description": "baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access", "id": "2190116", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2190116"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "status": "verified"}, "details": ["Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241.", "A flaw was found in the baremetal-operator, where the ironic and ironic-inspector deployed within the baremetal operator using the included deploy.sh store `.htpasswd` files as ConfigMaps instead of Secrets. This issue causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster or access to the management cluster's etcd storage."], "name": "CVE-2023-30841", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-agent-installer-api-server-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-baremetal-machine-controllers-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cluster-baremetal-operator-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-image-customization-controller-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-installer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:assisted_installer:", "fix_state": "Will not fix", "package_name": "rhai-tech-preview/assisted-installer-agent-rhel8", "product_name": "Red Hat OpenShift Container Platform Assisted Installer"}, {"cpe": "cpe:/a:redhat:assisted_installer:", "fix_state": "Will not fix", "package_name": "rhai-tech-preview/assisted-installer-rhel8", "product_name": "Red Hat OpenShift Container Platform Assisted Installer"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odr-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}], "public_date": "2023-04-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-30841\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-30841\nhttps://github.com/metal3-io/baremetal-operator/pull/1241\nhttps://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m"], "threat_severity": "Moderate", "upstream_fix": "baremetal-operator 0.3.0"}