CVE-2015-5306
First published: Wed Oct 21 2015(Updated: )
It was discovered that enabling debug mode in ironic-discoverd would also enable debug mode in flask, which would in turn enable the flask console on error. An attacker able to trigger an error and expose the flask console could use the console to run arbitary python code.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenStack Ironic Inspector | ||
| pip/ironic-inspector | >=0<2.2.2 | 2.2.2 |
| pip/python-ironic-inspector-client | <0.2.5 | 0.2.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2015-2685.html
- https://access.redhat.com/errata/RHSA-2015:1929
- https://bugs.launchpad.net/ironic-inspector/+bug/1506419
- https://bugzilla.redhat.com/show_bug.cgi?id=1273698
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1273701
- https://rhn.redhat.com/errata/RHSA-2015-2685.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-5306
- https://opendev.org/openstack/ironic-inspector/commit/77d0052c5133034490386fbfadfdb1bdb49aa44f
- https://access.redhat.com/errata/RHSA-2015:2685
- https://access.redhat.com/security/cve/CVE-2015-5306
- https://github.com/pypa/advisory-database/tree/main/vulns/ironic-inspector/PYSEC-2015-28.yaml
- https://opendev.org/openstack/ironic-inspector/commit/2c64da2bee6eeea27c08eb7a94894feaa5494910
- https://github.com/advisories/GHSA-x64g-wjmw-w328 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2015-5306?
CVE-2015-5306 is considered a medium severity vulnerability due to the potential for arbitrary code execution.
How do I fix CVE-2015-5306?
To mitigate CVE-2015-5306, upgrade Ironic Inspector to version 2.2.2 or later.
What software is affected by CVE-2015-5306?
CVE-2015-5306 affects OpenStack Ironic Inspector and the python-ironic-inspector-client versions below 0.2.5.
What is the impact of CVE-2015-5306?
The impact of CVE-2015-5306 allows an attacker to execute arbitrary Python code if they can trigger an error while debug mode is enabled.
What causes CVE-2015-5306?
CVE-2015-5306 is caused by enabling debug mode in ironic-discoverd, which inadvertently exposes the Flask console.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-5306
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-x64g-wjmw-w328
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/severity
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- agent/trending
- agent/tags
- agent/source
- vendor/openstack
- canonical/openstack ironic inspector
- package-manager/pip