Browse all 5 CVE security advisories affecting metal3-io. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Metal3-io develops open-source infrastructure for bare-metal provisioning and cluster lifecycle management, primarily used in cloud-native environments. Historically, its vulnerabilities have included remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation and insecure default configurations. The project maintains a moderate security posture with five disclosed CVEs, though no major public incidents have been reported. Security characteristics include regular security audits and community-driven vulnerability management, though rapid development cycles may occasionally introduce exploitable flaws before patches are available.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-29781 | Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD — baremetal-operatorCWE-200 | 6.5 | Medium | 2025-03-17 |
| CVE-2024-43803 | BMO can expose particularly named secrets from other namespaces via BMH CRD — baremetal-operatorCWE-200 | 4.9 | Medium | 2024-09-03 |
| CVE-2024-31463 | Ironic-image allows unauthenticated local access to Ironic API — ironic-imageCWE-288 | 4.7 | Medium | 2024-04-17 |
| CVE-2023-40585 | Unauthenticated access to Ironic API — ironic-imageCWE-306 | 7.3 | High | 2023-08-25 |
| CVE-2023-30841 | Ironic and ironic-inspector deployed within Baremetal Operator may expose as ConfigMaps — baremetal-operatorCWE-200 | 6.0 | Medium | 2023-04-26 |
This page lists every published CVE security advisory associated with metal3-io. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.