CVE-2019-10141
Summary
| CVE | CVE-2019-10141 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-07-30 17:15:00 UTC |
| Updated | 2021-08-04 17:15:00 UTC |
| Description | A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service. |
Risk And Classification
Problem Types: CWE-89
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Openstack | Ironic-inspector | All | All | All | All |
| Application | Openstack | Ironic-inspector | All | All | All | All |
| Operating System | Redhat | Enterprise Linux | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 7.0 | All | All | All |
| Application | Redhat | Openstack | 10 | All | All | All |
| Application | Redhat | Openstack | 13 | All | All | All |
| Application | Redhat | Openstack | 13.0 | All | All | All |
| Application | Redhat | Openstack | 14 | All | All | All |
| Application | Redhat | Openstack | 14.0 | All | All | All |
| Application | Redhat | Openstack | 9 | All | All | All |
| Application | Redhat | Openstack | 9.0 | All | All | All |
| Application | Redhat | Openstack | 10 | All | All | All |
| Application | Redhat | Openstack | 13.0 | All | All | All |
| Application | Redhat | Openstack | 14.0 | All | All | All |
| Application | Redhat | Openstack | 9.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| OpenStack Docs: Queens Series (6.1.0 - 7.2.x) Release Notes | MISC | docs.openstack.org | Release Notes, Vendor Advisory |
| Red Hat Customer Portal - Access to 24x7 support and knowledge | REDHAT | access.redhat.com | |
| 1711722 – (CVE-2019-10141) CVE-2019-10141 openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data | CONFIRM | bugzilla.redhat.com | Issue Tracking, Patch, Third Party Advisory |
| Ocata Series (5.0.0 - 5.0.x) Release Notes — Ironic Inspector Release Notes 5.1.1.dev38 documentation | MISC | docs.openstack.org | Release Notes, Vendor Advisory |
| OpenStack Docs: Rocky Series (8.0.0 - 8.0.x) Release Notes | MISC | docs.openstack.org | Release Notes, Vendor Advisory |
| OpenStack Docs: Stein Series (8.1.0 - 8.2.x) Release Notes | MISC | docs.openstack.org | Release Notes, Vendor Advisory |
| OpenStack Docs: Pike Series (6.0.0 - 6.0.x) Release Notes | MISC | docs.openstack.org | Release Notes, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.