Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN465
_____________________________________________________________________

DATE                : 06/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Openstack Ironic versions prior
                          to 26.1.6, 29.0.5, 32.0.1, 35.0.1.

=====================================================================
https://security.openstack.org/ossa/OSSA-2026-010.html
_____________________________________________________________________

OSSA-2026-010: Credential Forwarding to Arbitrary Endpoints via
Ironic’s idrac Configuration molds Feature

Date:

    May 05, 2026
CVE:

    CVE-2026-42997

Affects

    Ironic: >=17.0.0 <26.1.6, >=27.0.0 <29.0.5, >=30.0.0 <32.0.1,
            >=33.0.0 <35.0.1

Description

Dmitry Tantsur and Tuomo Tanskanen from the Metal3.io Security Team
reported a vulnerability in Ironic’s configuration mold import code
for idrac. When importing a configuration mold, a user invoking
molds can request authorization to be sent to a remote endpoint. The
credential forwarded is a time-limited Keystone token (which
provides access to all OpenStack services Ironic is authorized for);
or basic credentials configured for molds storage. Operators choose
the URL and the attacker has to already be authenticated with
permissions to execute clean/deploy steps, but the arbitrary URL for
the authorization request is user-controlled and not validated by
Ironic.


Patches

    https://review.opendev.org/c/openstack/ironic/+/986817 (2023.1/antelope (unmaintained))

    https://review.opendev.org/c/openstack/ironic/+/986816 (2024.1/caracal (unmaintained))

    https://review.opendev.org/c/openstack/ironic/+/986815 (2024.2/dalmatian)

    https://review.opendev.org/c/openstack/ironic/+/986767 (2025.1/epoxy)

    https://review.opendev.org/c/openstack/ironic/+/986737 (2025.2/flamingo)

    https://review.opendev.org/c/openstack/ironic/+/986725 (2026.1/gazpacho)


Credits

    Dmitry Tantsur from Metal3.io Security Team

    Tuomo Tanskanen from Metal3.io Security Team


References

    https://bugs.launchpad.net/ironic/+bug/2148317

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42997


Notes

    The molds feature was deprecated in the 2024.1 (Caracal)
release and has been removed during development of the
2026.2 (Hibiscus) release.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================