| Name | CVE-2025-44021 |
| Description | OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). A malicious project assigned as a node owner can provide a path to any local file (readable by ironic-conductor), which may then be written to the target node disk. This is difficult to exploit in practice, because a node deployed in this manner should never reach the ACTIVE state, but it still represents a danger in environments running with non-default, insecure configurations such as with automated cleaning disabled. The fixed versions are 24.1.3, 26.1.1, and 29.0.1. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1104964 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| ironic (PTS) | bullseye | 1:16.0.3-1 | vulnerable |
| bookworm | 1:21.1.0-3 | vulnerable | |
| sid, trixie | 1:29.0.0-6 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| ironic | source | (unstable) | 1:29.0.0-6 | 1104964 |
https://bugs.launchpad.net/ironic/+bug/2107847
https://security.openstack.org/ossa/OSSA-2025-001.html
https://www.openwall.com/lists/oss-security/2025/05/08/1