{"id":"CVE-2016-4985","details":"The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and 5.x before 5.1.2 (Mitaka) allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafted POST request to the v1/drivers/$DRIVER_NAME/vendor_passthru resource.","aliases":["GHSA-f7cr-7c2c-fm8r"],"modified":"2026-03-15T22:08:16.916970Z","published":"2016-07-12T19:59:04.303Z","related":["SUSE-SU-2016:1966-1"],"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2016/06/21/6"},{"type":"WEB","url":"https://review.openstack.org/332195"},{"type":"WEB","url":"https://review.openstack.org/332196"},{"type":"WEB","url":"https://review.openstack.org/332197"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2016:1377"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2016:1378"},{"type":"ADVISORY","url":"https://bugs.launchpad.net/ironic/+bug/1572796"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2.4"}]},{"events":[{"introduced":"0"},{"last_affected":"5.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.1.1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4985.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}