Miggo Logo

CVE-2015-5306: Injection vulnerability that affects ironic-discoverd

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.63437%
CWE
-
Published
7/5/2019
Updated
9/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
python-ironic-inspector-clientpip< 0.2.50.2.5
ironic-inspectorpip>= 0, < 2.2.22.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Flask's debug mode being enabled through the main application entrypoint. The patch (77d0052c5133034490386fbfadfdb1bdb49aa44f) shows removal of the debug parameter in app.run(), which previously used the configuration value. This function would appear in profiler output as it's the primary WSGI application entrypoint that handles HTTP requests. The debug mode activation at this level is what enabled the vulnerable Werkzeug console.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*nSt**k Ironi* Insp**tor (*k* ironi*-insp**tor or ironi*-*is*ov*r*), w**n ***u* mo** is *n**l**, mi**t *llow r*mot* *tt**k*rs to ****ss t** *l*sk *onsol* *n* *x**ut* *r*itr*ry Pyt*on *o** *y tri***rin* *n *rror.

Reasoning

T** vuln*r**ility st*ms *rom *l*sk's ***u* mo** **in* *n**l** t*rou** t** m*in *ppli**tion *ntrypoint. T** p*t** (****************************************) s*ows r*mov*l o* t** ***u* p*r*m*t*r in `*pp.run()`, w*i** pr*viously us** t** *on*i*ur*tion v