{"id":"UBUNTU-CVE-2024-44082","details":"In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13.1, there is a vulnerability in image processing, in which a crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, including possible unauthorized access to potentially sensitive data. The affected/fixed version details are: Ironic: \u003c21.4.3, \u003e=22.0.0 \u003c23.0.2, \u003e=23.1.0 \u003c24.1.2, \u003e=25.0.0 \u003c26.0.1; Ironic-python-agent: \u003c9.4.2, \u003e=9.5.0 \u003c9.7.1, \u003e=9.8.0 \u003c9.11.1, \u003e=9.12.0 \u003c9.13.1.","modified":"2026-02-04T02:49:35.344753Z","published":"2024-09-04T00:00:00Z","related":["USN-6989-1"],"upstream":["CVE-2024-44082"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-44082"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-44082"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6989-1"}],"affected":[{"package":{"name":"ironic","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/ironic@1:5.1.2-0ubuntu1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:4.2.0-0ubuntu1","1:4.3.0-0ubuntu1","1:5.1.0-0ubuntu1","1:5.1.2-0ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:5.1.2-0ubuntu1","binary_name":"ironic-api"},{"binary_version":"1:5.1.2-0ubuntu1","binary_name":"ironic-common"},{"binary_version":"1:5.1.2-0ubuntu1","binary_name":"ironic-conductor"},{"binary_version":"1:5.1.2-0ubuntu1","binary_name":"python-ironic"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-44082.json"}},{"package":{"name":"ironic","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/ironic@1:10.1.1-0ubuntu2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:9.1.0-0ubuntu2","1:9.2.0-0ubuntu1","1:10.0.0-0ubuntu1","1:10.1.0-0ubuntu1","1:10.1.1-0ubuntu1","1:10.1.1-0ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_version":"1:10.1.1-0ubuntu2","binary_name":"ironic-api"},{"binary_version":"1:10.1.1-0ubuntu2","binary_name":"ironic-common"},{"binary_version":"1:10.1.1-0ubuntu2","binary_name":"ironic-conductor"},{"binary_version":"1:10.1.1-0ubuntu2","binary_name":"python-ironic"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-44082.json"}},{"package":{"name":"ironic","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/ironic@1:15.0.0-0ubuntu0.20.04.1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:13.0.1-0ubuntu1","1:14.0.0~b1~git2019121713.76597ca93-0ubuntu1","1:14.0.0~b1~git2019121713.76597ca93-0ubuntu2","1:14.0.0-0ubuntu1","1:14.0.1~git2020032415.de2d907fc-0ubuntu1","1:14.0.1~git2020041013.af9e6ba90-0ubuntu2","1:15.0.0-0ubuntu0.20.04.1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:15.0.0-0ubuntu0.20.04.1","binary_name":"ironic-api"},{"binary_version":"1:15.0.0-0ubuntu0.20.04.1","binary_name":"ironic-common"},{"binary_version":"1:15.0.0-0ubuntu0.20.04.1","binary_name":"ironic-conductor"},{"binary_version":"1:15.0.0-0ubuntu0.20.04.1","binary_name":"python3-ironic"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-44082.json"}},{"package":{"name":"ironic","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/ironic@1:20.1.0-0ubuntu1.2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:20.1.0-0ubuntu1.2"}]}],"versions":["1:18.2.0-0ubuntu1","1:18.2.0+git2021120910.cdc3b9538-0ubuntu1","1:19.0.0+git2022011216.7beadee46-0ubuntu1","1:20.0.0+git2022030313.4e6a3d52e-0ubuntu1","1:20.1.0-0ubuntu1","1:20.1.0-0ubuntu1.1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:20.1.0-0ubuntu1.2","binary_name":"ironic-api"},{"binary_version":"1:20.1.0-0ubuntu1.2","binary_name":"ironic-common"},{"binary_version":"1:20.1.0-0ubuntu1.2","binary_name":"ironic-conductor"},{"binary_version":"1:20.1.0-0ubuntu1.2","binary_name":"python3-ironic"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-44082.json"}},{"package":{"name":"ironic","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/ironic@1:24.1.1-0ubuntu1.2?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:24.1.1-0ubuntu1.2"}]}],"versions":["1:23.0.0-0ubuntu3","1:23.1.0+git2024011916.a374a0c1-0ubuntu1","1:24.1.0-0ubuntu1","1:24.1.1-0ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:24.1.1-0ubuntu1.2","binary_name":"ironic-api"},{"binary_version":"1:24.1.1-0ubuntu1.2","binary_name":"ironic-common"},{"binary_version":"1:24.1.1-0ubuntu1.2","binary_name":"ironic-conductor"},{"binary_version":"1:24.1.1-0ubuntu1.2","binary_name":"python3-ironic"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-44082.json"}},{"package":{"name":"ironic-python-agent","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/ironic-python-agent@9.1.0-1ubuntu1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["9.1.0-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"9.1.0-1ubuntu1","binary_name":"ironic-python-agent"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-44082.json"}},{"package":{"name":"ironic","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/ironic@1:32.0.0-0ubuntu1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:29.0.0-0ubuntu1","1:30.0.0+git2025070713.577833d78-0ubuntu1","1:30.0.0+git2025070713.577833d78-0ubuntu2","1:32.0.0-0ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:32.0.0-0ubuntu1","binary_name":"ironic-api"},{"binary_version":"1:32.0.0-0ubuntu1","binary_name":"ironic-common"},{"binary_version":"1:32.0.0-0ubuntu1","binary_name":"ironic-conductor"},{"binary_version":"1:32.0.0-0ubuntu1","binary_name":"python3-ironic"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-44082.json"}},{"package":{"name":"ironic-python-agent","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/ironic-python-agent@10.2.0-3?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["9.14.0-5","10.2.0-3"],"ecosystem_specific":{"binaries":[{"binary_version":"10.2.0-3","binary_name":"ironic-python-agent"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-44082.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}