CVE-2016-4985 – openstack-ironic: Ironic Node information including credentials exposed to unauthenticated users

https://notcve.org/view.php?id=CVE-2016-4985

05 Jul 2016 — The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and 5.x before 5.1.2 (Mitaka) allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafted POST request to the v1/drivers/$DRIVER_NAME/vendor_passthru resource. El servicio ironic-api en OpenStack Ironic en versiones anteriores a 4.2.5 (Liberty) y 5.x en versiones anteriores a 5.1.2 (Mitaka) permite a atacantes remotos ... • http://www.openwall.com/lists/oss-security/2016/06/21/6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-290: Authentication Bypass by Spoofing •