[oss-security] [OSSA-2026-010] Ironic: Credential Forwarding to Arbitrary Endpoints via iDrac Configuration Molds Feature (CVE-2026-42997)

Tue, 05 May 2026 10:31:30 -0700 

==========================================================================================================
OSSA-2026-010: Credential Forwarding to Arbitrary Endpoints via Ironic's idrac Configuration molds Feature 
==========================================================================================================

:Date: May 05, 2026
:CVE: CVE-2026-42997


Affects
~~~~~~~
- Ironic: >=17.0.0 <26.1.6, >=27.0.0 <29.0.5, >=30.0.0 <32.0.1, >=33.0.0 <35.0.1 


Description
~~~~~~~~~~~
Dmitry Tantsur and Tuomo Tanskanen from the Metal3.io Security Team reported a vulnerability in Ironic's configuration mold import code for idrac. When importing a configuration mold, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. Operators choose the URL and the attacker has to already be authenticated with permissions to execute clean/deploy steps, but the arbitrary URL for the authorization request is user-controlled and not validated by Ironic. 



Patches
~~~~~~~
- https://review.opendev.org/c/openstack/ironic/+/986817 (2023.1/antelope (unmaintained)) - https://review.opendev.org/c/openstack/ironic/+/986816 (2024.1/caracal (unmaintained)) 
- https://review.opendev.org/c/openstack/ironic/+/986815 (2024.2/dalmatian)
- https://review.opendev.org/c/openstack/ironic/+/986767 (2025.1/epoxy)
- https://review.opendev.org/c/openstack/ironic/+/986737 (2025.2/flamingo)
- https://review.opendev.org/c/openstack/ironic/+/986725 (2026.1/gazpacho)


Credits
~~~~~~~
- Dmitry Tantsur from Metal3.io Security Team
- Tuomo Tanskanen from Metal3.io Security Team


References
~~~~~~~~~~
- https://bugs.launchpad.net/ironic/+bug/2148317
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42997


Notes
~~~~~
- The molds feature was deprecated in the 2024.1 (Caracal) release and
  has been removed during development of the 2026.2 (Hibiscus) release.

Attachment: OpenPGP_0x6B75D939B424C6D4.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to