CVE-2024-47211

In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x and 24.x before 24.1.3, and 25.x and 26.x before 26.1.0, there is a lack of checksum validation of supplied image_source URLs when configured to convert images to a raw format for streaming.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 43%
Debian logo
Debian Releases
Debian Product
Codename
ironic
bullseye
postponed
bookworm
no-dsa
sid
1:29.0.0-6
fixed
trixie
1:29.0.0-6
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ironic
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
References
https://github.com/openstack/ironic/compare/24.1.2...26.1.0
https://github.com/openstack/ironic/security
https://github.com/openstack/ironic/tags
https://security.openstack.org/ossa/OSSA-2024-004.html
http://www.openwall.com/lists/oss-security/2024/10/05/2