Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2015-5306 (GCVE-0-2015-5306)
Vulnerability from cvelistv5 – Published: 2015-11-25 20:00 – Updated: 2024-08-06 06:41
VLAI?
EPSS
Summary
OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Date Public ?
2015-10-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:41:09.264Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2015:1929",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2015:1929"
},
{
"name": "RHSA-2015:2685",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2685.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/ironic-inspector/+bug/1506419"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-10-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-05T14:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2015:1929",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2015:1929"
},
{
"name": "RHSA-2015:2685",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2685.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/ironic-inspector/+bug/1506419"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-5306",
"datePublished": "2015-11-25T20:00:00.000Z",
"dateReserved": "2015-07-01T00:00:00.000Z",
"dateUpdated": "2024-08-06T06:41:09.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:ironic_inspector:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"95F96F39-A887-4A85-A241-DD55138418C6\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.\"}, {\"lang\": \"es\", \"value\": \"OpenStack Ironic Inspector (tambi\\u00e9n conocido como ironic-inspector o ironic-discoverd), cuando el modo depurardor est\\u00e1 habilitado, podr\\u00eda permitir a atacantes remotos acceder a la consola Flask y ejecutar c\\u00f3digo Python arbitrario desencadenando un error.\"}]",
"id": "CVE-2015-5306",
"lastModified": "2024-11-21T02:32:45.597",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2015-11-25T20:59:06.273",
"references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2685.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2015:1929\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugs.launchpad.net/ironic-inspector/+bug/1506419\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1273698\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2685.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2015:1929\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugs.launchpad.net/ironic-inspector/+bug/1506419\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1273698\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-254\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2015-5306\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2015-11-25T20:59:06.273\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.\"},{\"lang\":\"es\",\"value\":\"OpenStack Ironic Inspector (tambi\u00e9n conocido como ironic-inspector o ironic-discoverd), cuando el modo depurardor est\u00e1 habilitado, podr\u00eda permitir a atacantes remotos acceder a la consola Flask y ejecutar c\u00f3digo Python arbitrario desencadenando un error.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-254\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:ironic_inspector:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"95F96F39-A887-4A85-A241-DD55138418C6\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2685.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2015:1929\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugs.launchpad.net/ironic-inspector/+bug/1506419\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1273698\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2685.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2015:1929\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugs.launchpad.net/ironic-inspector/+bug/1506419\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1273698\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
PYSEC-2015-28
Vulnerability from pysec - Published: 2015-11-25 20:59 - Updated: 2021-07-25 23:34
VLAI?
Details
OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.
Impacted products
| Name | purl | ironic-inspector | pkg:pypi/ironic-inspector |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector",
"purl": "pkg:pypi/ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0.0",
"2.0.1",
"2.1.0",
"2.2.0",
"2.2.1",
"2.2.2",
"2.2.3",
"2.2.4",
"2.2.5",
"2.2.6",
"2.2.7"
]
}
],
"aliases": [
"CVE-2015-5306"
],
"details": "OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.",
"id": "PYSEC-2015-28",
"modified": "2021-07-25T23:34:38.274751Z",
"published": "2015-11-25T20:59:00Z",
"references": [
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ironic-inspector/+bug/1506419"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2015:1929"
},
{
"type": "ADVISORY",
"url": "http://rhn.redhat.com/errata/RHSA-2015-2685.html"
}
]
}
RHSA-2015:2685
Vulnerability from csaf_redhat - Published: 2015-12-21 19:09 - Updated: 2025-11-21 17:54Summary
Red Hat Security Advisory: openstack-ironic-discoverd security update
Severity
Important
Notes
Topic: Updated openstack-ironic-discoverd packages that fix one security issue are
now available for Red Hat Enterprise Linux OpenStack Platform 6.0.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: OpenStack Bare Metal (ironic) is a tool used to provision bare metal
(as opposed to virtual) machines. It leverages common technologies such
as PXE boot and IPMI to cover a wide range of hardware. It also supports
pluggable drivers to allow added, vendor-specific functionality.
It was discovered that enabling debug mode in openstack-ironic-discoverd
also enabled debug mode in the underlying Flask framework. If errors were
encountered while Flask was in debug mode, a user experiencing an error
might be able to access the debug console (effectively, a command shell).
(CVE-2015-5306)
Please note that this package is a Technology Preview and should not be
used in production.
All openstack-ironic-discoverd users are advised to upgrade to these
updated packages, which correct this issue.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was discovered that enabling debug mode in openstack-ironic-discoverd also enabled debug mode in the underlying Flask framework. If errors were encountered while Flask was in debug mode, a user experiencing an error might be able to access the debug console (effectively, a command shell).
6.0 ()
Vendor Fix
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2015:2685
References
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated openstack-ironic-discoverd packages that fix one security issue are\nnow available for Red Hat Enterprise Linux OpenStack Platform 6.0.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Bare Metal (ironic) is a tool used to provision bare metal\n(as opposed to virtual) machines. It leverages common technologies such\nas PXE boot and IPMI to cover a wide range of hardware. It also supports\npluggable drivers to allow added, vendor-specific functionality.\n\nIt was discovered that enabling debug mode in openstack-ironic-discoverd\nalso enabled debug mode in the underlying Flask framework. If errors were\nencountered while Flask was in debug mode, a user experiencing an error\nmight be able to access the debug console (effectively, a command shell).\n(CVE-2015-5306)\n\nPlease note that this package is a Technology Preview and should not be\nused in production.\n\nAll openstack-ironic-discoverd users are advised to upgrade to these\nupdated packages, which correct this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2685",
"url": "https://access.redhat.com/errata/RHSA-2015:2685"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1273698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2685.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-discoverd security update",
"tracking": {
"current_release_date": "2025-11-21T17:54:36+00:00",
"generator": {
"date": "2025-11-21T17:54:36+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2015:2685",
"initial_release_date": "2015-12-21T19:09:02+00:00",
"revision_history": [
{
"date": "2015-12-21T19:09:02+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-12-21T19:09:02+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T17:54:36+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:6::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"product": {
"name": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"product_id": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-discoverd@0.2.5-2.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.src",
"product": {
"name": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.src",
"product_id": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-discoverd@0.2.5-2.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch"
},
"product_reference": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.src"
},
"product_reference": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-5306",
"cwe": {
"id": "CWE-749",
"name": "Exposed Dangerous Method or Function"
},
"discovery_date": "2015-10-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1273698"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that enabling debug mode in openstack-ironic-discoverd also enabled debug mode in the underlying Flask framework. If errors were encountered while Flask was in debug mode, a user experiencing an error might be able to access the debug console (effectively, a command shell).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-discoverd: potential remote code execution with debug mode enabled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5306"
},
{
"category": "external",
"summary": "RHBZ#1273698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5306",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5306"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5306",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5306"
}
],
"release_date": "2015-10-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-21T19:09:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2685"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-discoverd: potential remote code execution with debug mode enabled"
}
]
}
RHSA-2015:1929
Vulnerability from csaf_redhat - Published: 2015-10-22 19:44 - Updated: 2025-11-21 17:53Summary
Red Hat Security Advisory: openstack-ironic-discoverd security update
Severity
Important
Notes
Topic: Updated openstack-ironic-discoverd packages that fix one security issue are
now available for Red Hat Enterprise Linux OpenStack Platform 7.0.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: Ironic provides bare metal provisioning for OpenStack nodes.
It was discovered that enabling debug mode in openstack-ironic-discoverd
also enables debug mode in the underlying Flask framework. If errors are
encountered while Flask is in debug mode, a user experiencing an error may
be able to access the debug console (effectively, a command shell).
(CVE-2015-5306)
All openstack-ironic-discoverd users are advised to upgrade to these
updated packages, which correct this issue.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was discovered that enabling debug mode in openstack-ironic-discoverd also enabled debug mode in the underlying Flask framework. If errors were encountered while Flask was in debug mode, a user experiencing an error might be able to access the debug console (effectively, a command shell).
6.0 ()
Vendor Fix
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2015:1929
References
| URL | Category | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated openstack-ironic-discoverd packages that fix one security issue are\nnow available for Red Hat Enterprise Linux OpenStack Platform 7.0.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ironic provides bare metal provisioning for OpenStack nodes.\n\nIt was discovered that enabling debug mode in openstack-ironic-discoverd\nalso enables debug mode in the underlying Flask framework. If errors are\nencountered while Flask is in debug mode, a user experiencing an error may\nbe able to access the debug console (effectively, a command shell).\n(CVE-2015-5306)\n\nAll openstack-ironic-discoverd users are advised to upgrade to these\nupdated packages, which correct this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1929",
"url": "https://access.redhat.com/errata/RHSA-2015:1929"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1256421",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1256421"
},
{
"category": "external",
"summary": "1273698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1929.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-discoverd security update",
"tracking": {
"current_release_date": "2025-11-21T17:53:50+00:00",
"generator": {
"date": "2025-11-21T17:53:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2015:1929",
"initial_release_date": "2015-10-22T19:44:50+00:00",
"revision_history": [
{
"date": "2015-10-22T19:44:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-10-22T19:44:50+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T17:53:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 7.0 Director for RHEL 7",
"product": {
"name": "OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"product": {
"name": "python-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"product_id": "python-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-ironic-discoverd@1.1.0-8.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"product": {
"name": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"product_id": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-discoverd@1.1.0-8.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"product": {
"name": "openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"product_id": "openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-discoverd-ramdisk@1.1.0-8.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"product": {
"name": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"product_id": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-discoverd@1.1.0-8.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch"
},
"product_reference": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.src as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.src"
},
"product_reference": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch"
},
"product_reference": "openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-ironic-discoverd-0:1.1.0-8.el7ost.noarch as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:python-ironic-discoverd-0:1.1.0-8.el7ost.noarch"
},
"product_reference": "python-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-5306",
"cwe": {
"id": "CWE-749",
"name": "Exposed Dangerous Method or Function"
},
"discovery_date": "2015-10-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1273698"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that enabling debug mode in openstack-ironic-discoverd also enabled debug mode in the underlying Flask framework. If errors were encountered while Flask was in debug mode, a user experiencing an error might be able to access the debug console (effectively, a command shell).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-discoverd: potential remote code execution with debug mode enabled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:python-ironic-discoverd-0:1.1.0-8.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5306"
},
{
"category": "external",
"summary": "RHBZ#1273698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5306",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5306"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5306",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5306"
}
],
"release_date": "2015-10-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-22T19:44:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:python-ironic-discoverd-0:1.1.0-8.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1929"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:python-ironic-discoverd-0:1.1.0-8.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-discoverd: potential remote code execution with debug mode enabled"
}
]
}
RHSA-2015_1929
Vulnerability from csaf_redhat - Published: 2015-10-22 19:44 - Updated: 2024-11-22 09:33Summary
Red Hat Security Advisory: openstack-ironic-discoverd security update
Severity
Important
Notes
Topic: Updated openstack-ironic-discoverd packages that fix one security issue are
now available for Red Hat Enterprise Linux OpenStack Platform 7.0.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: Ironic provides bare metal provisioning for OpenStack nodes.
It was discovered that enabling debug mode in openstack-ironic-discoverd
also enables debug mode in the underlying Flask framework. If errors are
encountered while Flask is in debug mode, a user experiencing an error may
be able to access the debug console (effectively, a command shell).
(CVE-2015-5306)
All openstack-ironic-discoverd users are advised to upgrade to these
updated packages, which correct this issue.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was discovered that enabling debug mode in openstack-ironic-discoverd also enabled debug mode in the underlying Flask framework. If errors were encountered while Flask was in debug mode, a user experiencing an error might be able to access the debug console (effectively, a command shell).
6.0 ()
Vendor Fix
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2015:1929
References
| URL | Category | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated openstack-ironic-discoverd packages that fix one security issue are\nnow available for Red Hat Enterprise Linux OpenStack Platform 7.0.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ironic provides bare metal provisioning for OpenStack nodes.\n\nIt was discovered that enabling debug mode in openstack-ironic-discoverd\nalso enables debug mode in the underlying Flask framework. If errors are\nencountered while Flask is in debug mode, a user experiencing an error may\nbe able to access the debug console (effectively, a command shell).\n(CVE-2015-5306)\n\nAll openstack-ironic-discoverd users are advised to upgrade to these\nupdated packages, which correct this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1929",
"url": "https://access.redhat.com/errata/RHSA-2015:1929"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1256421",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1256421"
},
{
"category": "external",
"summary": "1273698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1929.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-discoverd security update",
"tracking": {
"current_release_date": "2024-11-22T09:33:08+00:00",
"generator": {
"date": "2024-11-22T09:33:08+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2015:1929",
"initial_release_date": "2015-10-22T19:44:50+00:00",
"revision_history": [
{
"date": "2015-10-22T19:44:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-10-22T19:44:50+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T09:33:08+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 7.0 Director for RHEL 7",
"product": {
"name": "OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"product": {
"name": "python-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"product_id": "python-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-ironic-discoverd@1.1.0-8.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"product": {
"name": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"product_id": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-discoverd@1.1.0-8.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"product": {
"name": "openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"product_id": "openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-discoverd-ramdisk@1.1.0-8.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"product": {
"name": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"product_id": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-discoverd@1.1.0-8.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch"
},
"product_reference": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.src as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.src"
},
"product_reference": "openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch"
},
"product_reference": "openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-ironic-discoverd-0:1.1.0-8.el7ost.noarch as a component of OpenStack 7.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-Director:python-ironic-discoverd-0:1.1.0-8.el7ost.noarch"
},
"product_reference": "python-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-Director"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-5306",
"cwe": {
"id": "CWE-749",
"name": "Exposed Dangerous Method or Function"
},
"discovery_date": "2015-10-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1273698"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that enabling debug mode in openstack-ironic-discoverd also enabled debug mode in the underlying Flask framework. If errors were encountered while Flask was in debug mode, a user experiencing an error might be able to access the debug console (effectively, a command shell).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-discoverd: potential remote code execution with debug mode enabled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:python-ironic-discoverd-0:1.1.0-8.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5306"
},
{
"category": "external",
"summary": "RHBZ#1273698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5306",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5306"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5306",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5306"
}
],
"release_date": "2015-10-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-22T19:44:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:python-ironic-discoverd-0:1.1.0-8.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1929"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-0:1.1.0-8.el7ost.src",
"7Server-RH7-RHOS-7.0-Director:openstack-ironic-discoverd-ramdisk-0:1.1.0-8.el7ost.noarch",
"7Server-RH7-RHOS-7.0-Director:python-ironic-discoverd-0:1.1.0-8.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-discoverd: potential remote code execution with debug mode enabled"
}
]
}
RHSA-2015_2685
Vulnerability from csaf_redhat - Published: 2015-12-21 19:09 - Updated: 2024-11-22 09:33Summary
Red Hat Security Advisory: openstack-ironic-discoverd security update
Severity
Important
Notes
Topic: Updated openstack-ironic-discoverd packages that fix one security issue are
now available for Red Hat Enterprise Linux OpenStack Platform 6.0.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: OpenStack Bare Metal (ironic) is a tool used to provision bare metal
(as opposed to virtual) machines. It leverages common technologies such
as PXE boot and IPMI to cover a wide range of hardware. It also supports
pluggable drivers to allow added, vendor-specific functionality.
It was discovered that enabling debug mode in openstack-ironic-discoverd
also enabled debug mode in the underlying Flask framework. If errors were
encountered while Flask was in debug mode, a user experiencing an error
might be able to access the debug console (effectively, a command shell).
(CVE-2015-5306)
Please note that this package is a Technology Preview and should not be
used in production.
All openstack-ironic-discoverd users are advised to upgrade to these
updated packages, which correct this issue.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was discovered that enabling debug mode in openstack-ironic-discoverd also enabled debug mode in the underlying Flask framework. If errors were encountered while Flask was in debug mode, a user experiencing an error might be able to access the debug console (effectively, a command shell).
6.0 ()
Vendor Fix
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2015:2685
References
| URL | Category | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated openstack-ironic-discoverd packages that fix one security issue are\nnow available for Red Hat Enterprise Linux OpenStack Platform 6.0.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Bare Metal (ironic) is a tool used to provision bare metal\n(as opposed to virtual) machines. It leverages common technologies such\nas PXE boot and IPMI to cover a wide range of hardware. It also supports\npluggable drivers to allow added, vendor-specific functionality.\n\nIt was discovered that enabling debug mode in openstack-ironic-discoverd\nalso enabled debug mode in the underlying Flask framework. If errors were\nencountered while Flask was in debug mode, a user experiencing an error\nmight be able to access the debug console (effectively, a command shell).\n(CVE-2015-5306)\n\nPlease note that this package is a Technology Preview and should not be\nused in production.\n\nAll openstack-ironic-discoverd users are advised to upgrade to these\nupdated packages, which correct this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2685",
"url": "https://access.redhat.com/errata/RHSA-2015:2685"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1273698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2685.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-discoverd security update",
"tracking": {
"current_release_date": "2024-11-22T09:33:03+00:00",
"generator": {
"date": "2024-11-22T09:33:03+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2015:2685",
"initial_release_date": "2015-12-21T19:09:02+00:00",
"revision_history": [
{
"date": "2015-12-21T19:09:02+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-12-21T19:09:02+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T09:33:03+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:6::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"product": {
"name": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"product_id": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-discoverd@0.2.5-2.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.src",
"product": {
"name": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.src",
"product_id": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-discoverd@0.2.5-2.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch"
},
"product_reference": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.src"
},
"product_reference": "openstack-ironic-discoverd-0:0.2.5-2.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-5306",
"cwe": {
"id": "CWE-749",
"name": "Exposed Dangerous Method or Function"
},
"discovery_date": "2015-10-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1273698"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that enabling debug mode in openstack-ironic-discoverd also enabled debug mode in the underlying Flask framework. If errors were encountered while Flask was in debug mode, a user experiencing an error might be able to access the debug console (effectively, a command shell).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-discoverd: potential remote code execution with debug mode enabled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5306"
},
{
"category": "external",
"summary": "RHBZ#1273698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5306",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5306"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5306",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5306"
}
],
"release_date": "2015-10-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-21T19:09:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2685"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.noarch",
"7Server-RH7-RHOS-6.0:openstack-ironic-discoverd-0:0.2.5-2.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-discoverd: potential remote code execution with debug mode enabled"
}
]
}
CNVD-2015-07438
Vulnerability from cnvd - Published: 2015-11-11
VLAI Severity ?
Title
OpenStack ironic-discoverd远程代码执行漏洞
Description
OpenStack是一个云平台管理项目。ironic-discoverd是其中的一个提供了硬件内部自检服务功能的组件。
OpenStack ironic-discovered存在安全漏洞,允许远程攻击者利用该漏洞,提交特殊请求进行拒绝服务攻击。
Severity
中
Patch Name
OpenStack ironic-discoverd远程代码执行漏洞的补丁
Patch Description
OpenStack是一个云平台管理项目。ironic-discoverd是其中的一个提供了硬件内部自检服务功能的组件。
OpenStack ironic-discovered存在安全漏洞,允许远程攻击者利用该漏洞,提交特殊请求进行拒绝服务攻击。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
用户可参考如下厂商提供的安全补丁以修复该漏洞: http://openstack.org
Reference
http://www.securityfocus.com/bid/77313
Impacted products
| Name | OpenStack ironic-discovered |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2015-5306"
}
},
"description": "OpenStack\u662f\u4e00\u4e2a\u4e91\u5e73\u53f0\u7ba1\u7406\u9879\u76ee\u3002ironic-discoverd\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u63d0\u4f9b\u4e86\u786c\u4ef6\u5185\u90e8\u81ea\u68c0\u670d\u52a1\u529f\u80fd\u7684\u7ec4\u4ef6\u3002\r\n\r\nOpenStack ironic-discovered\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e,\u63d0\u4ea4\u7279\u6b8a\u8bf7\u6c42\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002",
"discovererName": "OpenStack",
"formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://openstack.org",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2015-07438",
"openTime": "2015-11-11",
"patchDescription": "OpenStack\u662f\u4e00\u4e2a\u4e91\u5e73\u53f0\u7ba1\u7406\u9879\u76ee\u3002ironic-discoverd\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u63d0\u4f9b\u4e86\u786c\u4ef6\u5185\u90e8\u81ea\u68c0\u670d\u52a1\u529f\u80fd\u7684\u7ec4\u4ef6\u3002\r\nOpenStack ironic-discovered\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e,\u63d0\u4ea4\u7279\u6b8a\u8bf7\u6c42\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "OpenStack ironic-discoverd\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "OpenStack ironic-discovered"
},
"referenceLink": "http://www.securityfocus.com/bid/77313",
"serverity": "\u4e2d",
"submitTime": "2015-11-07",
"title": "OpenStack ironic-discoverd\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}
GSD-2015-5306
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-5306",
"description": "OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.",
"id": "GSD-2015-5306",
"references": [
"https://access.redhat.com/errata/RHSA-2015:2685",
"https://access.redhat.com/errata/RHSA-2015:1929"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2015-5306"
],
"details": "OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.",
"id": "GSD-2015-5306",
"modified": "2023-12-13T01:20:06.282742Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5306",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://rhn.redhat.com/errata/RHSA-2015-2685.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2015-2685.html"
},
{
"name": "https://access.redhat.com/errata/RHSA-2015:1929",
"refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2015:1929"
},
{
"name": "https://bugs.launchpad.net/ironic-inspector/+bug/1506419",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/ironic-inspector/+bug/1506419"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c0.2.5",
"affected_versions": "All versions before 0.2.5",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-254",
"CWE-78",
"CWE-937"
],
"date": "2021-09-21",
"description": "OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.",
"fixed_versions": [
"0.2.5"
],
"identifier": "CVE-2015-5306",
"identifiers": [
"GHSA-x64g-wjmw-w328",
"CVE-2015-5306"
],
"not_impacted": "All versions starting from 0.2.5",
"package_slug": "pypi/ironic-discoverd",
"pubdate": "2019-07-05",
"solution": "Upgrade to version 0.2.5 or above.",
"title": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2015-5306",
"https://access.redhat.com/errata/RHSA-2015:1929",
"https://bugs.launchpad.net/ironic-inspector/+bug/1506419",
"https://bugzilla.redhat.com/show_bug.cgi?id=1273698",
"https://github.com/advisories/GHSA-x64g-wjmw-w328",
"http://rhn.redhat.com/errata/RHSA-2015-2685.html"
],
"uuid": "4e2b7060-5123-4857-825a-c0d667e048f9"
},
{
"affected_range": "\u003c0.2.5",
"affected_versions": "All versions before 0.2.5",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-254",
"CWE-78",
"CWE-937"
],
"date": "2023-02-09",
"description": "It was discovered that enabling debug mode in openstack-ironic-discoverd also enabled debug mode in the underlying Flask framework. If errors were encountered while Flask was in debug mode, a user experiencing an error might be able to access the debug console (effectively, a command shell).",
"fixed_versions": [
"0.2.5"
],
"identifier": "CVE-2015-5306",
"identifiers": [
"GHSA-x64g-wjmw-w328",
"CVE-2015-5306"
],
"not_impacted": "All versions starting from 0.2.5",
"package_slug": "pypi/python-ironic-inspector-client",
"pubdate": "2019-07-05",
"solution": "Upgrade to version 0.2.5 or above.",
"title": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2015-5306",
"https://access.redhat.com/errata/RHSA-2015:1929",
"https://bugs.launchpad.net/ironic-inspector/+bug/1506419",
"https://bugzilla.redhat.com/show_bug.cgi?id=1273698",
"http://rhn.redhat.com/errata/RHSA-2015-2685.html",
"https://opendev.org/openstack/ironic-inspector/commit/77d0052c5133034490386fbfadfdb1bdb49aa44f",
"https://access.redhat.com/errata/RHSA-2015:2685",
"https://access.redhat.com/security/cve/CVE-2015-5306",
"https://github.com/advisories/GHSA-x64g-wjmw-w328"
],
"uuid": "270602d0-b023-4d95-a08b-d67112301f1c"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openstack:ironic_inspector:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5306"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-254"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"name": "https://bugs.launchpad.net/ironic-inspector/+bug/1506419",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.launchpad.net/ironic-inspector/+bug/1506419"
},
{
"name": "RHSA-2015:1929",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2015:1929"
},
{
"name": "RHSA-2015:2685",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2685.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-12T23:15Z",
"publishedDate": "2015-11-25T20:59Z"
}
}
}
FKIE_CVE-2015-5306
Vulnerability from fkie_nvd - Published: 2015-11-25 20:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2015-2685.html | ||
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2015:1929 | Vendor Advisory | |
| secalert@redhat.com | https://bugs.launchpad.net/ironic-inspector/+bug/1506419 | Vendor Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1273698 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2015-2685.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2015:1929 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.launchpad.net/ironic-inspector/+bug/1506419 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1273698 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openstack | ironic_inspector | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:ironic_inspector:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95F96F39-A887-4A85-A241-DD55138418C6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error."
},
{
"lang": "es",
"value": "OpenStack Ironic Inspector (tambi\u00e9n conocido como ironic-inspector o ironic-discoverd), cuando el modo depurardor est\u00e1 habilitado, podr\u00eda permitir a atacantes remotos acceder a la consola Flask y ejecutar c\u00f3digo Python arbitrario desencadenando un error."
}
],
"id": "CVE-2015-5306",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-11-25T20:59:06.273",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-2685.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2015:1929"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.launchpad.net/ironic-inspector/+bug/1506419"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-2685.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2015:1929"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.launchpad.net/ironic-inspector/+bug/1506419"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-254"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-X64G-WJMW-W328
Vulnerability from github – Published: 2019-07-05 21:10 – Updated: 2024-09-24 18:37
VLAI?
Summary
Injection vulnerability that affects ironic-discoverd
Details
OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.
Severity ?
8.1 (High)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "python-ironic-inspector-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-5306"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:02:22Z",
"nvd_published_at": "2015-11-25T20:59:00Z",
"severity": "CRITICAL"
},
"details": "OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.",
"id": "GHSA-x64g-wjmw-w328",
"modified": "2024-09-24T18:37:57Z",
"published": "2019-07-05T21:10:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5306"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2015:1929"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2015:2685"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2015-5306"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ironic-inspector/+bug/1506419"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273698"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ironic-inspector/PYSEC-2015-28.yaml"
},
{
"type": "PACKAGE",
"url": "https://opendev.org/openstack/ironic-inspector"
},
{
"type": "WEB",
"url": "https://opendev.org/openstack/ironic-inspector/commit/2c64da2bee6eeea27c08eb7a94894feaa5494910"
},
{
"type": "WEB",
"url": "https://opendev.org/openstack/ironic-inspector/commit/77d0052c5133034490386fbfadfdb1bdb49aa44f"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-2685.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Injection vulnerability that affects ironic-discoverd"
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…