Skip to content
CVSS 8.0 · HIGH

CVE-2026-43003

An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.

Ver en NVD

Análisis

OpenStack ironic-python-agent (IPA) versions 1.0.0 through 11.5.0 are vulnerable to code execution during the OS deployment process. If you allow users or automated pipelines to provide custom disk images for bare-metal provisioning, an attacker could exploit the grub-install routine to execute arbitrary code on the deployment agent.

Severidad

Puntaje: 8.0(HIGH)
Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
AV: ADJACENT_NETWORK
AC: HIGH
PR: LOW
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-829

EPSS

Probabilidad de explotación (próx. 30 días): 0.0002 (0.0%)
Percentil: 6.8%
EPSS: 2026-05-06

Afecta

openstack:ironic_python_agent

Descripción técnica

An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.

Publicada: 1/5/2026, 9:16:17
Última modificación: 4/5/2026, 18:28:28

Referencias

InicioEventosBlogRecursosEquipo