Vulnerability DatabaseCVE-2019-10141
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2019-10141
July 30, 2019
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
Affected Packages
ironic-inspector (PYTHON):
Affected version(s) >=8.0.0 <8.0.3
Fix Suggestion:
Update to version 8.0.3
ironic-inspector (PYTHON):
Affected version(s) >=5.1.0 <6.0.3
Fix Suggestion:
Update to version 6.0.3
ironic-inspector (PYTHON):
Affected version(s) >=6.1.0 <7.2.4
Fix Suggestion:
Update to version 7.2.4
ironic-inspector (PYTHON):
Affected version(s) >=8.1.0 <8.2.1
Fix Suggestion:
Update to version 8.2.1
ironic-inspector (PYTHON):
Affected version(s) >=2.0.0 <5.0.2
Fix Suggestion:
Update to version 5.0.2
Related ResourcesĀ (16)
https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens
https://github.com/openstack/ironic-inspector/commit/97f9d34f8376ac7accd2597b3bdce67a9dac664f
https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein
https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata
https://github.com/openstack/ironic-inspector
https://github.com/openstack/ironic-inspector/commit/17c796b49171b6133e988f78c92d7c9b7ed3fcf3
https://github.com/openstack/ironic-inspector/commit/67ff87ebca1016d44bd9d284ec4c16a88a533cfc
https://storyboard.openstack.org/#!/story/2005678
https://github.com/openstack/ironic-inspector/commit/9d107900b2e0b599397b84409580d46e0ed16291
https://github.com/pypa/advisory-database/tree/main/vulns/ironic-inspector/PYSEC-2019-152.yaml
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141
https://access.redhat.com/errata/RHSA-2019:2505
https://nvd.nist.gov/vuln/detail/CVE-2019-10141
https://review.opendev.org/c/openstack/ironic-inspector/+/660234
https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike
https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.2
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
HIGH
CVSS v2
Base Score:
6.4
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
Weakness Type (CWE)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-89
EPSS
Base Score:
0.76