---
security:
  - A critical security vulnerability (CVE-2016-4985) was fixed in this
    release. Previously, a client with network access to the ironic-api service
    was able to bypass Keystone authentication and retrieve all information
    about any Node registered with Ironic, if they knew (or were able to guess)
    the MAC address of a network card belonging to that Node, by sending a
    crafted POST request to the /v1/drivers/$DRIVER_NAME/vendor_passthru
    resource. Ironic's policy.json configuration is now respected when
    responding to this request such that, if passwords should be masked for
    other requests, they are also masked for this request.