vulnerability

Debian: CVE-2025-44021: ironic -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
2	(AV:L/AC:M/Au:S/C:N/I:P/A:N)	May 8, 2025	May 15, 2025	Aug 15, 2025

Severity

CVSS

(AV:L/AC:M/Au:S/C:N/I:P/A:N)

Published

May 8, 2025

Added

May 15, 2025

Modified

Aug 15, 2025

Description

OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). A malicious project assigned as a node owner can provide a path to any local file (readable by ironic-conductor), which may then be written to the target node disk. This is difficult to exploit in practice, because a node deployed in this manner should never reach the ACTIVE state, but it still represents a danger in environments running with non-default, insecure configurations such as with automated cleaning disabled. The fixed versions are 24.1.3, 26.1.1, and 29.0.1.

Solution

no-fix-debian-deb-package

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today