ironic/releasenotes/notes/fix-cve-2016-4985-b62abae57...

12 lines
677 B
YAML

---
security:
- A critical security vulnerability (CVE-2016-4985) was fixed in this
release. Previously, a client with network access to the ironic-api service
was able to bypass Keystone authentication and retrieve all information
about any Node registered with Ironic, if they knew (or were able to guess)
the MAC address of a network card belonging to that Node, by sending a
crafted POST request to the /v1/drivers/$DRIVER_NAME/vendor_passthru
resource. Ironic's policy.json configuration is now respected when
responding to this request such that, if passwords should be masked for
other requests, they are also masked for this request.