Published: 30/07/2019 Updated: 04/08/2021

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

CVSS v3 Base Score: 9.1 | Impact Score: 5.2 | Exploitability Score: 3.9

VMScore: 570

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P

A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.

Vulnerable Product	Search on Vulmon	Subscribe to Product
openstack ironic-inspector
redhat openstack 10
redhat openstack 13
redhat openstack 14
redhat openstack 9

Debian Bug report logs - #929332 ironic-inspector: CVE-2019-10141: SQL Injection vulnerability when receiving introspection data Package: src:ironic-inspector; Maintainer for src:ironic-inspector is Debian OpenStack <team+openstack@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 2 ...

Synopsis Important: openstack-ironic-inspector security update Type/Severity Security Advisory: Important Topic An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 140 (Rocky)Red Hat Product Security has rated this update as having a security impact of Important A Com ...

Synopsis Important: openstack-ironic-inspector security update Type/Severity Security Advisory: Important Topic An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 130 (Queens)Red Hat Product Security has rated this update as having a security impact of Important A Co ...

Synopsis Important: openstack-ironic-inspector security update Type/Severity Security Advisory: Important Topic An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 100 (Newton)Red Hat Product Security has rated this update as having a security impact of Important A Co ...

Synopsis Important: openstack-ironic-inspector security update Type/Severity Security Advisory: Important Topic An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 90 (Mitaka) directorRed Hat Product Security has rated this update as having a security impact of Importa ...

CWE-89 https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141 https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike https://access.redhat.com/errata/RHSA-2019:2505 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929332 https://nvd.nist.gov

CVE-2019-10141

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect