CVE-2024-47211: OpenStack Ironic fails to verify checksums of supplied image_source URLs

October 4, 2024 (updated November 5, 2024)

In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x and 24.x before 24.1.3, and 25.x and 26.x before 26.1.0, there is a lack of checksum validation of supplied image_source URLs when configured to convert images to a raw format for streaming.

References

github.com/advisories/GHSA-8h22-6qwx-q4w9
github.com/openstack/ironic
github.com/openstack/ironic/commit/2127cc4c93770778457fde0582c1bba258c67e02
github.com/openstack/ironic/commit/7a1292c569a84eb05806a57a89fca5bb6b0c4043
github.com/openstack/ironic/commit/ebce0fd0845de411171127a55002ae7c9605de57
github.com/openstack/ironic/compare/24.1.2...26.1.0
github.com/openstack/ironic/security
github.com/openstack/ironic/tags
nvd.nist.gov/vuln/detail/CVE-2024-47211
security.openstack.org/ossa/OSSA-2024-004.html

Code Behaviors & Features

Detect and mitigate CVE-2024-47211 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →