CVE-2015-5306

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2015-5306
OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.

6.8 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://rhn.redhat.com/errata/RHSA-2015-2685.html
https://access.redhat.com/errata/RHSA-2015:1929 Vendor Advisory
https://bugs.launchpad.net/ironic-inspector/+bug/1506419 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1273698 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:openstack:ironic_inspector:*:*:*:*:*:*:*:*
History

12 Feb 2023, 23:15

Type Values Removed Values Added
Summary It was discovered that enabling debug mode in openstack-ironic-discoverd also enabled debug mode in the underlying Flask framework. If errors were encountered while Flask was in debug mode, a user experiencing an error might be able to access the debug console (effectively, a command shell). OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2015-5306', 'name': 'https://access.redhat.com/security/cve/CVE-2015-5306', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2015:2685', 'name': 'https://access.redhat.com/errata/RHSA-2015:2685', 'tags': [], 'refsource': 'MISC'}

02 Feb 2023, 16:17

Type Values Removed Values Added
References
  • (MISC) https://access.redhat.com/security/cve/CVE-2015-5306 -
  • (MISC) https://access.redhat.com/errata/RHSA-2015:2685 -
Summary OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error. It was discovered that enabling debug mode in openstack-ironic-discoverd also enabled debug mode in the underlying Flask framework. If errors were encountered while Flask was in debug mode, a user experiencing an error might be able to access the debug console (effectively, a command shell).
Information

Published : 2015-11-25 20:59

Updated : 2023-12-10 11:46

NVD link : CVE-2015-5306

Mitre link : CVE-2015-5306

CVE.ORG link : CVE-2015-5306

JSON object : View

Products Affected

openstack

  • ironic_inspector
CWE
CWE-254

7PK - Security Features