VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-2e9k-vxvn-aaab

Essentials
Severities (83)
References (11)
Severity details (15)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-2e9k-vxvn-aaab
Aliases	CVE-2023-30841 GHSA-9wh7-397j-722m
Summary	Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-319	Cleartext Transmission of Sensitive Information
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor

System	Score	Found at
cvssv3	6.0	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30841.json
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00025	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
epss	0.00048	https://api.first.org/data/v1/epss?cve=CVE-2023-30841
cvssv3.1	4.9	https://github.com/metal3-io/baremetal-operator
generic_textual	MODERATE	https://github.com/metal3-io/baremetal-operator
cvssv3.1	6	https://github.com/metal3-io/baremetal-operator/pull/1241
cvssv3.1	6.0	https://github.com/metal3-io/baremetal-operator/pull/1241
generic_textual	MODERATE	https://github.com/metal3-io/baremetal-operator/pull/1241
ssvc	Track	https://github.com/metal3-io/baremetal-operator/pull/1241
cvssv3.1	6	https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m
cvssv3.1	6	https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m
cvssv3.1	6.0	https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m
generic_textual	MODERATE	https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m
ssvc	Track	https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m
ssvc	Track	https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m
cvssv3	5.5	https://nvd.nist.gov/vuln/detail/CVE-2023-30841
cvssv3.1	5.5	https://nvd.nist.gov/vuln/detail/CVE-2023-30841

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30841.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-30841
		https://github.com/metal3-io/baremetal-operator
		https://github.com/metal3-io/baremetal-operator/pull/1241
		https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m
2190116		https://bugzilla.redhat.com/show_bug.cgi?id=2190116
cpe:2.3:a:linuxfoundation:baremetal_operator::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:baremetal_operator::::::::
CVE-2023-30841		https://nvd.nist.gov/vuln/detail/CVE-2023-30841
RHSA-2023:1326		https://access.redhat.com/errata/RHSA-2023:1326
RHSA-2023:6143		https://access.redhat.com/errata/RHSA-2023:6143
RHSA-2024:3801		https://access.redhat.com/errata/RHSA-2024:3801

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30841.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/metal3-io/baremetal-operator

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N Found at https://github.com/metal3-io/baremetal-operator/pull/1241

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N Found at https://github.com/metal3-io/baremetal-operator/pull/1241

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-30T21:30:47Z/ Found at https://github.com/metal3-io/baremetal-operator/pull/1241

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N Found at https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N Found at https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N Found at https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-30T21:30:47Z/ Found at https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-30841

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-30841

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.00815
EPSS Score	0.00011
Published At	May 9, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.