CVSS: 9.1EPSS: 0%CPEs: 10EXPL: 0CVE-2019-10141 – openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data
https://notcve.org/view.php?id=CVE-2019-10141
02 Jul 2019 — A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how... • https://access.redhat.com/errata/RHSA-2019:2505 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5306 – openstack-ironic-discoverd: potential remote code execution with debug mode enabled
https://notcve.org/view.php?id=CVE-2015-5306
23 Oct 2015 — OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error. OpenStack Ironic Inspector (también conocido como ironic-inspector o ironic-discoverd), cuando el modo depurardor está habilitado, podría permitir a atacantes remotos acceder a la consola Flask y ejecutar código Python arbitrario desencadenando un error. It was discovered that enabling debug mode ... • http://rhn.redhat.com/errata/RHSA-2015-2685.html • CWE-254: 7PK - Security Features CWE-749: Exposed Dangerous Method or Function •