| Name | CVE-2024-44082 |
| Description | In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13.1, there is a vulnerability in image processing, in which a crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, including possible unauthorized access to potentially sensitive data. The affected/fixed version details are: Ironic: <21.4.3, >=22.0.0 <23.0.2, >=23.1.0 <24.1.2, >=25.0.0 <26.0.1; Ironic-python-agent: <9.4.2, >=9.5.0 <9.7.1, >=9.8.0 <9.11.1, >=9.12.0 <9.13.1. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| ironic (PTS) | stretch | 1:6.2.0-3 | vulnerable |
| buster | 1:11.1.0-6 | vulnerable | |
| bullseye | 1:16.0.3-1 | vulnerable | |
| bookworm | 1:21.1.0-3 | vulnerable | |
| sid, trixie | 1:24.1.1-3 | vulnerable | |
| ironic-python-agent (PTS) | sid, trixie | 9.11.0-3 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| ironic | source | stretch | (unfixed) | end-of-life | ||
| ironic | source | buster | (unfixed) | end-of-life | ||
| ironic | source | (unstable) | (unfixed) | |||
| ironic-python-agent | source | (unstable) | (unfixed) |
https://www.openwall.com/lists/oss-security/2024/09/04/4
https://bugs.launchpad.net/ironic/+bug/2071740