CVE-2019-10141: SQL Injection
First published: Sun May 19 2019(Updated: )
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openstack-ironic-inspector | <5.0.2 | 5.0.2 |
| redhat/openstack-ironic-inspector | <6.0.3 | 6.0.3 |
| redhat/openstack-iron-inspector | <7.2.4 | 7.2.4 |
| redhat/openstack-ironic-inspector | <8.0.3 | 8.0.3 |
| redhat/openstack-ironic-inspector | <8.2.1 | 8.2.1 |
| pip/ironic-inspector | >=8.1.0<8.2.1 | 8.2.1 |
| pip/ironic-inspector | >=8.0.0<8.0.3 | 8.0.3 |
| pip/ironic-inspector | >=6.1.0<7.2.4 | 7.2.4 |
| pip/ironic-inspector | >=5.1.0<6.0.3 | 6.0.3 |
| pip/ironic-inspector | <5.0.2 | 5.0.2 |
| OpenStack Ironic Inspector | <5.0.2 | |
| OpenStack Ironic Inspector | >=5.1.0<6.0.3 | |
| OpenStack Ironic Inspector | >=6.1.0<7.2.4 | |
| OpenStack Ironic Inspector | >=8.0.0<8.0.3 | |
| OpenStack Ironic Inspector | >=8.1.0<8.2.1 | |
| Red Hat OpenStack for IBM Power | =10 | |
| Red Hat OpenStack for IBM Power | =13 | |
| Red Hat OpenStack for IBM Power | =14 | |
| Red Hat OpenStack for IBM Power | =9 | |
| Red Hat Enterprise Linux | =7.0 | |
| All of | ||
| Red Hat OpenStack for IBM Power | =9 | |
| Red Hat Enterprise Linux | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2019:2505
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141
- https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata
- https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike
- https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens
- https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky
- https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1712186
- https://review.opendev.org/660234
- https://review.opendev.org/#/c/660306/1
- https://review.opendev.org/#/c/660305/1
- https://review.opendev.org/#/c/660310/1
- https://review.opendev.org/#/c/660308/1
- https://review.opendev.org/#/c/660304/1
- https://access.redhat.com/errata/RHSA-2019:1669
- https://access.redhat.com/errata/RHSA-2019:1722
- https://access.redhat.com/errata/RHSA-2019:1734
- https://access.redhat.com/security/cve/cve-2019-10141
- https://bugzilla.redhat.com/show_bug.cgi?id=1711722
- https://nvd.nist.gov/vuln/detail/CVE-2019-10141
- https://github.com/openstack/ironic-inspector/commit/9d107900b2e0b599397b84409580d46e0ed16291
- https://review.opendev.org/c/openstack/ironic-inspector/+/660234
- https://storyboard.openstack.org/#!/story/2005678
- https://github.com/advisories/GHSA-c7fc-cm7p-92r2 (Advisory)
- https://github.com/openstack/ironic-inspector/commit/17c796b49171b6133e988f78c92d7c9b7ed3fcf3
- https://github.com/openstack/ironic-inspector/commit/67ff87ebca1016d44bd9d284ec4c16a88a533cfc
- https://github.com/openstack/ironic-inspector/commit/97f9d34f8376ac7accd2597b3bdce67a9dac664f
- https://github.com/pypa/advisory-database/tree/main/vulns/ironic-inspector/PYSEC-2019-152.yaml
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2019-10141.
What is the severity of CVE-2019-10141?
The severity of CVE-2019-10141 is critical with a CVSS score of 9.1.
What is the affected software for CVE-2019-10141?
The affected software for CVE-2019-10141 is openstack-ironic-inspector, versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3, and 8.2.1.
What is the fix/remedy for CVE-2019-10141?
The fix/remedy for CVE-2019-10141 is to update openstack-ironic-inspector to versions 5.0.2, 6.0.3, 7.2.4, 8.0.3, or 8.2.1.
Where can I find more information about CVE-2019-10141?
You can find more information about CVE-2019-10141 at the following references: [link1], [link2], [link3].
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/description
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-10141
- agent/software-canonical-lookup
- agent/severity
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-c7fc-cm7p-92r2
- agent/references
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/pip
- vendor/openstack
- canonical/openstack ironic inspector
- version/openstack ironic inspector/5.1.0
- version/openstack ironic inspector/6.1.0
- version/openstack ironic inspector/8.0.0
- version/openstack ironic inspector/8.1.0
- vendor/redhat
- canonical/red hat openstack for ibm power
- version/red hat openstack for ibm power/10
- version/red hat openstack for ibm power/13
- version/red hat openstack for ibm power/14
- version/red hat openstack for ibm power/9
- canonical/red hat enterprise linux
- version/red hat enterprise linux/7.0