Impact
OpenStack Ironic versions before 37.0.1 allow an authenticated user to perform a PATCH request on volume properties for which they are authorized, resulting in the return of unredacted sensitive information such as iSCSI credentials. This behavior constitutes a data leak (CWE‑212). The PATCH operation is a security issue, whereas the POST operation on the same resource does not expose sensitive data, indicating the problem is specific to the PATCH path.
Affected Systems
The vulnerability affects OpenStack Ironic releases prior to 37.0.1. Deployments using any of those versions that permit volume property modifications are at risk.
Risk and Exploitability
The CVSS score of 6.8 indicates moderate severity, while the EPSS score is < 1%, suggesting no current data on exploit probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is internal or delegated use of a PATCH operation on authorized volume properties, allowing the attacker to retrieve credentials that were intended to remain confidential.
OpenCVE Enrichment