{"body":"For standalone users, this issue exists but the standalone user is expected to be the infrastucture operator. For integrated usage with other OpenStack services, i.e. nova requesting instances, prior to Ironic 30.0.0, all images were expected to be explicitly set to public or community by the infrastructure admin which is a limiting factor as the tenant would need the \"cloud admin\" to figuratively sign-off on the images. Starting in 30.0.0, Images shared with the Ironic service's project became eligible for deployment requiring administrator level context to set that case up in the first place. Furthermore 30.0.0 was extended to allow \"admin\" requestors to deploy whatever their desired image was based upon the ``[DEFAULT]ignore_project_check_for_admin_tasks`` option which defaults to True, again meaning an elevated/trusted user. However where the risk really exists is when an baremetal node has been handed off to an end user in the ownership/leasing model, via ``owner`` and ``lessee`` fields, where a user could directly request a deployment with an explicit URL instead of a glance image, and in this vulnerability's case where an owner scoped member user or an admin scoped lessee user could update the instance_info for bare metal node by directly leveraging ironic's API and point Ironic to a malicious mage and request a deploy or rebuild (respetive of access rights and state of usage of the node). Owner and lessee models were introduced in ironic 17.0.0, and previously only the cloud admin or a user explicitly granted baremetal_admin rights could interact with Ironic.","name":"","extension":"txt","url":"https://www.irccloud.com/pastebin/WwfEuGAO","modified":1777571361,"id":"WwfEuGAO","size":1593,"lines":1,"own_paste":false,"theme":"","date":1777571361}