CVE-2019-10141

A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
References
Link Resource
https://access.redhat.com/errata/RHSA-2019:2505
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141 Issue Tracking Patch Third Party Advisory
https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata Release Notes Vendor Advisory
https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike Release Notes Vendor Advisory
https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens Release Notes Vendor Advisory
https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky Release Notes Vendor Advisory
https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein Release Notes Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:2505
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141 Issue Tracking Patch Third Party Advisory
https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata Release Notes Vendor Advisory
https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike Release Notes Vendor Advisory
https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens Release Notes Vendor Advisory
https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky Release Notes Vendor Advisory
https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein Release Notes Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*
cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*
cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*
cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*
cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

History

21 Nov 2024, 04:18

Type Values Removed Values Added
References () https://access.redhat.com/errata/RHSA-2019:2505 - () https://access.redhat.com/errata/RHSA-2019:2505 -
References () https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141 - Issue Tracking, Patch, Third Party Advisory () https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141 - Issue Tracking, Patch, Third Party Advisory
References () https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata - Release Notes, Vendor Advisory () https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata - Release Notes, Vendor Advisory
References () https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike - Release Notes, Vendor Advisory () https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike - Release Notes, Vendor Advisory
References () https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens - Release Notes, Vendor Advisory () https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens - Release Notes, Vendor Advisory
References () https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky - Release Notes, Vendor Advisory () https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky - Release Notes, Vendor Advisory
References () https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein - Release Notes, Vendor Advisory () https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein - Release Notes, Vendor Advisory
CVSS v2 : 6.4
v3 : 9.1
v2 : 6.4
v3 : 8.3

Information

Published : 2019-07-30 17:15

Updated : 2024-11-21 04:18


NVD link : CVE-2019-10141

Mitre link : CVE-2019-10141

CVE.ORG link : CVE-2019-10141


JSON object : View

Products Affected

openstack

  • ironic-inspector

redhat

  • enterprise_linux
  • openstack
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')