Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-10141 (GCVE-0-2019-10141)
Vulnerability from cvelistv5 – Published: 2019-07-30 16:22 – Updated: 2024-08-04 22:10
VLAI?
EPSS
Summary
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
Severity ?
8.3 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RedHat | openstack-ironic-inspector |
Affected:
all 5.0.x up to, excluding 5.0.2
Affected: all 6.0.x up to, excluding 6.0.3 Affected: all 7.2.x up to, excluding 7.2.4 Affected: all 8.0.3 up to, excluding 8.0.3 Affected: 8.2.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"name": "RHSA-2019:2505",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openstack-ironic-inspector",
"vendor": "RedHat",
"versions": [
{
"status": "affected",
"version": "all 5.0.x up to, excluding 5.0.2"
},
{
"status": "affected",
"version": "all 6.0.x up to, excluding 6.0.3"
},
{
"status": "affected",
"version": "all 7.2.x up to, excluding 7.2.4"
},
{
"status": "affected",
"version": "all 8.0.3 up to, excluding 8.0.3"
},
{
"status": "affected",
"version": "8.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-15T16:06:15.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"name": "RHSA-2019:2505",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-10141",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "openstack-ironic-inspector",
"version": {
"version_data": [
{
"version_value": "all 5.0.x up to, excluding 5.0.2"
},
{
"version_value": "all 6.0.x up to, excluding 6.0.3"
},
{
"version_value": "all 7.2.x up to, excluding 7.2.4"
},
{
"version_value": "all 8.0.3 up to, excluding 8.0.3"
},
{
"version_value": "8.2.0"
}
]
}
}
]
},
"vendor_name": "RedHat"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "8.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"name": "RHSA-2019:2505",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-10141",
"datePublished": "2019-07-30T16:22:59.000Z",
"dateReserved": "2019-03-27T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:10:09.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2019-10141",
"date": "2026-04-23",
"epss": "0.00757",
"percentile": "0.73362"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"5.0.2\", \"matchCriteriaId\": \"1148EC36-0766-4080-AC70-7C384D8A41BC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.1.0\", \"versionEndExcluding\": \"6.0.3\", \"matchCriteriaId\": \"E8F90AF2-9A18-40F8-BBAF-51D1727142FE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.1.0\", \"versionEndExcluding\": \"7.2.4\", \"matchCriteriaId\": \"77B95F6A-6F21-433A-B8C3-D7EA91312E62\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.0.0\", \"versionEndExcluding\": \"8.0.3\", \"matchCriteriaId\": \"E9C414C8-F67E-4C60-BCC7-6CE2C0B552C8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.1.0\", \"versionEndExcluding\": \"8.2.1\", \"matchCriteriaId\": \"79F2C939-0CC0-444A-A313-A52A14CA7B0E\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"704CFA1A-953E-4105-BFBE-406034B83DED\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EB7F358B-5E56-41AB-BB8A-23D3CB7A248B\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F40C26BE-56CB-4022-A1D8-3CA0A8F87F4B\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.\"}, {\"lang\": \"es\", \"value\": \"Se detect\\u00f3 una vulnerabilidad en ironic-inspector de openstack en todas las versiones, excluyendo a la 5.0.2, 6.0.3, 7.2.4, 8.0.3 y 8.2.1. Se detect\\u00f3 una vulnerabilidad de inyecci\\u00f3n SQL en la funci\\u00f3n node_cache.find_node() de ironic-inspector de openstack. Esta funci\\u00f3n realiza una consulta SQL usando datos sin filtrar de un servidor que informa los resultados de la inspecci\\u00f3n (mediante una POST hacia el endpoint /v1/continue). Porque la API no est\\u00e1 autenticada, el fallo podr\\u00eda ser explotado por un atacante con acceso a la red en la que ironic-inspector es detectado. Debido a que ironic-inspector usa los resultados de la consulta, es poco probable que se puedan obtener datos. Sin embargo, el atacante podr\\u00eda pasar datos maliciosos y crear una denegaci\\u00f3n de servicio.\"}]",
"id": "CVE-2019-10141",
"lastModified": "2024-11-21T04:18:30.227",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H\", \"baseScore\": 8.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:P\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2019-07-30T17:15:12.453",
"references": "[{\"url\": \"https://access.redhat.com/errata/RHSA-2019:2505\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2505\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-10141\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2019-07-30T17:15:12.453\",\"lastModified\":\"2024-11-21T04:18:30.227\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.\"},{\"lang\":\"es\",\"value\":\"Se detect\u00f3 una vulnerabilidad en ironic-inspector de openstack en todas las versiones, excluyendo a la 5.0.2, 6.0.3, 7.2.4, 8.0.3 y 8.2.1. Se detect\u00f3 una vulnerabilidad de inyecci\u00f3n SQL en la funci\u00f3n node_cache.find_node() de ironic-inspector de openstack. Esta funci\u00f3n realiza una consulta SQL usando datos sin filtrar de un servidor que informa los resultados de la inspecci\u00f3n (mediante una POST hacia el endpoint /v1/continue). Porque la API no est\u00e1 autenticada, el fallo podr\u00eda ser explotado por un atacante con acceso a la red en la que ironic-inspector es detectado. Debido a que ironic-inspector usa los resultados de la consulta, es poco probable que se puedan obtener datos. Sin embargo, el atacante podr\u00eda pasar datos maliciosos y crear una denegaci\u00f3n de servicio.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:P\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.0.2\",\"matchCriteriaId\":\"1148EC36-0766-4080-AC70-7C384D8A41BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.1.0\",\"versionEndExcluding\":\"6.0.3\",\"matchCriteriaId\":\"E8F90AF2-9A18-40F8-BBAF-51D1727142FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.0\",\"versionEndExcluding\":\"7.2.4\",\"matchCriteriaId\":\"77B95F6A-6F21-433A-B8C3-D7EA91312E62\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"8.0.3\",\"matchCriteriaId\":\"E9C414C8-F67E-4C60-BCC7-6CE2C0B552C8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.1.0\",\"versionEndExcluding\":\"8.2.1\",\"matchCriteriaId\":\"79F2C939-0CC0-444A-A313-A52A14CA7B0E\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"704CFA1A-953E-4105-BFBE-406034B83DED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB7F358B-5E56-41AB-BB8A-23D3CB7A248B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F40C26BE-56CB-4022-A1D8-3CA0A8F87F4B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2505\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2505\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}"
}
}
RHSA-2019_1722
Vulnerability from csaf_redhat - Published: 2019-07-10 10:01 - Updated: 2024-11-15 03:11Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Severity
Important
Notes
Topic: An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: OpenStack Bare Metal (ironic) is a tool used to provision bare metal (as opposed to virtual) machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific, functionality.
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
8.3 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2019:1722
References
Acknowledgments
Red Hat
Zane Bitter
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 10.0 (Newton).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Bare Metal (ironic) is a tool used to provision bare metal (as opposed to virtual) machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific, functionality.\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1722",
"url": "https://access.redhat.com/errata/RHSA-2019:1722"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1722.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:11:27+00:00",
"generator": {
"date": "2024-11-15T03:11:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:1722",
"initial_release_date": "2019-07-10T10:01:26+00:00",
"revision_history": [
{
"date": "2019-07-10T10:01:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-10T10:01:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:11:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 10.0",
"product": {
"name": "Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:10::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product_id": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@4.2.2-6.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@4.2.2-6.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-10T10:01:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1722"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
RHSA-2019:1734
Vulnerability from csaf_redhat - Published: 2019-07-10 14:02 - Updated: 2025-11-21 18:09Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Severity
Important
Notes
Topic: An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 13.0 (Queens).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: ironic-inspector is an auxiliary service for discovering hardware properties for a node managed by Ironic. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).
Security Fix:
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
8.3 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2019:1734
References
| URL | Category | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
Acknowledgments
Red Hat
Zane Bitter
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 13.0 (Queens).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "ironic-inspector is an auxiliary service for discovering hardware properties for a node managed by Ironic. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).\n\nSecurity Fix:\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1734",
"url": "https://access.redhat.com/errata/RHSA-2019:1734"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "1717086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1717086"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1734.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2025-11-21T18:09:00+00:00",
"generator": {
"date": "2025-11-21T18:09:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2019:1734",
"initial_release_date": "2019-07-10T14:02:39+00:00",
"revision_history": [
{
"date": "2019-07-10T14:02:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-10T14:02:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:09:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 13.0",
"product": {
"name": "Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:13::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product_id": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@7.2.3-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@7.2.3-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-10T14:02:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1734"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
RHSA-2019:2505
Vulnerability from csaf_redhat - Published: 2019-08-15 16:02 - Updated: 2025-11-21 18:09Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Severity
Important
Notes
Topic: An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: ironic-inspector is an auxiliary service for discovering hardware
properties for a node managed by Ironic. Hardware introspection or hardware
properties discovery is a process of getting hardware parameters required
for scheduling from a bare metal node, given its power management
credentials (e.g. IPMI address, user name and password).
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
8.3 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2019:2505
References
| URL | Category | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Acknowledgments
Red Hat
Zane Bitter
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "ironic-inspector is an auxiliary service for discovering hardware\nproperties for a node managed by Ironic. Hardware introspection or hardware\nproperties discovery is a process of getting hardware parameters required\nfor scheduling from a bare metal node, given its power management\ncredentials (e.g. IPMI address, user name and password).\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2505",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2505.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2025-11-21T18:09:48+00:00",
"generator": {
"date": "2025-11-21T18:09:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2019:2505",
"initial_release_date": "2019-08-15T16:02:36+00:00",
"revision_history": [
{
"date": "2019-08-15T16:02:36+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-15T16:02:36+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:09:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 9.0 Director for RHEL 7",
"product": {
"name": "OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:9::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@3.2.2-5.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product_id": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector-doc@3.2.2-5.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product_id": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@3.2.2-5.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-15T16:02:36+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
RHSA-2019_1669
Vulnerability from csaf_redhat - Published: 2019-07-02 19:45 - Updated: 2024-11-15 03:11Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Severity
Important
Notes
Topic: An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 14.0 (Rocky).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Nodes managed by Ironic may use the ironic-inspector auxiliary service to discover hardware properties. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
8.3 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2019:1669
References
| URL | Category | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
Acknowledgments
Red Hat
Zane Bitter
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 14.0 (Rocky).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Nodes managed by Ironic may use the ironic-inspector auxiliary service to discover hardware properties. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1669",
"url": "https://access.redhat.com/errata/RHSA-2019:1669"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "1712027",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712027"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1669.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:11:22+00:00",
"generator": {
"date": "2024-11-15T03:11:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:1669",
"initial_release_date": "2019-07-02T19:45:37+00:00",
"revision_history": [
{
"date": "2019-07-02T19:45:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-02T19:45:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:11:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 14.0",
"product": {
"name": "Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:14::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product_id": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@8.0.3-0.20190420013817.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@8.0.3-0.20190420013817.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch as a component of Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-14.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src as a component of Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-14.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-02T19:45:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
RHSA-2019_2505
Vulnerability from csaf_redhat - Published: 2019-08-15 16:02 - Updated: 2024-11-15 03:13Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Severity
Important
Notes
Topic: An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: ironic-inspector is an auxiliary service for discovering hardware
properties for a node managed by Ironic. Hardware introspection or hardware
properties discovery is a process of getting hardware parameters required
for scheduling from a bare metal node, given its power management
credentials (e.g. IPMI address, user name and password).
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
8.3 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2019:2505
References
| URL | Category | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Acknowledgments
Red Hat
Zane Bitter
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "ironic-inspector is an auxiliary service for discovering hardware\nproperties for a node managed by Ironic. Hardware introspection or hardware\nproperties discovery is a process of getting hardware parameters required\nfor scheduling from a bare metal node, given its power management\ncredentials (e.g. IPMI address, user name and password).\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2505",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2505.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:13:23+00:00",
"generator": {
"date": "2024-11-15T03:13:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:2505",
"initial_release_date": "2019-08-15T16:02:36+00:00",
"revision_history": [
{
"date": "2019-08-15T16:02:36+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-15T16:02:36+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:13:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 9.0 Director for RHEL 7",
"product": {
"name": "OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:9::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@3.2.2-5.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product_id": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector-doc@3.2.2-5.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product_id": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@3.2.2-5.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-15T16:02:36+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
RHSA-2019:1669
Vulnerability from csaf_redhat - Published: 2019-07-02 19:45 - Updated: 2025-11-21 18:08Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Severity
Important
Notes
Topic: An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 14.0 (Rocky).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Nodes managed by Ironic may use the ironic-inspector auxiliary service to discover hardware properties. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
8.3 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2019:1669
References
| URL | Category | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
Acknowledgments
Red Hat
Zane Bitter
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 14.0 (Rocky).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Nodes managed by Ironic may use the ironic-inspector auxiliary service to discover hardware properties. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1669",
"url": "https://access.redhat.com/errata/RHSA-2019:1669"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "1712027",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712027"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1669.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2025-11-21T18:08:56+00:00",
"generator": {
"date": "2025-11-21T18:08:56+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2019:1669",
"initial_release_date": "2019-07-02T19:45:37+00:00",
"revision_history": [
{
"date": "2019-07-02T19:45:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-02T19:45:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:08:56+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 14.0",
"product": {
"name": "Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:14::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product_id": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@8.0.3-0.20190420013817.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@8.0.3-0.20190420013817.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch as a component of Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-14.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src as a component of Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-14.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-02T19:45:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
RHSA-2019_1734
Vulnerability from csaf_redhat - Published: 2019-07-10 14:02 - Updated: 2024-11-15 03:11Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Severity
Important
Notes
Topic: An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 13.0 (Queens).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: ironic-inspector is an auxiliary service for discovering hardware properties for a node managed by Ironic. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).
Security Fix:
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
8.3 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2019:1734
References
| URL | Category | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
Acknowledgments
Red Hat
Zane Bitter
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 13.0 (Queens).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "ironic-inspector is an auxiliary service for discovering hardware properties for a node managed by Ironic. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).\n\nSecurity Fix:\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1734",
"url": "https://access.redhat.com/errata/RHSA-2019:1734"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "1717086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1717086"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1734.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:11:58+00:00",
"generator": {
"date": "2024-11-15T03:11:58+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:1734",
"initial_release_date": "2019-07-10T14:02:39+00:00",
"revision_history": [
{
"date": "2019-07-10T14:02:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-10T14:02:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:11:58+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 13.0",
"product": {
"name": "Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:13::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product_id": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@7.2.3-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@7.2.3-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-10T14:02:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1734"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
RHSA-2019:1722
Vulnerability from csaf_redhat - Published: 2019-07-10 10:01 - Updated: 2025-11-21 18:08Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Severity
Important
Notes
Topic: An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: OpenStack Bare Metal (ironic) is a tool used to provision bare metal (as opposed to virtual) machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific, functionality.
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
8.3 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2019:1722
References
| URL | Category | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Acknowledgments
Red Hat
Zane Bitter
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 10.0 (Newton).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Bare Metal (ironic) is a tool used to provision bare metal (as opposed to virtual) machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific, functionality.\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1722",
"url": "https://access.redhat.com/errata/RHSA-2019:1722"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1722.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2025-11-21T18:08:59+00:00",
"generator": {
"date": "2025-11-21T18:08:59+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2019:1722",
"initial_release_date": "2019-07-10T10:01:26+00:00",
"revision_history": [
{
"date": "2019-07-10T10:01:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-10T10:01:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:08:59+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 10.0",
"product": {
"name": "Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:10::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product_id": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@4.2.2-6.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@4.2.2-6.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-10T10:01:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1722"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
PYSEC-2019-152
Vulnerability from pysec - Published: 2019-07-30 17:15 - Updated: 2021-07-05 00:01
VLAI?
Details
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
Impacted products
| Name | purl | ironic-inspector | pkg:pypi/ironic-inspector |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector",
"purl": "pkg:pypi/ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "7.2.4"
},
{
"introduced": "8.1.0"
},
{
"fixed": "8.2.1"
},
{
"introduced": "0"
},
{
"fixed": "5.0.2"
},
{
"introduced": "5.1.0"
},
{
"fixed": "6.0.3"
},
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0.0",
"2.0.1",
"2.1.0",
"2.2.0",
"2.2.1",
"2.2.2",
"2.2.3",
"2.2.4",
"2.2.5",
"2.2.6",
"2.2.7",
"2.3.0",
"3.0.0",
"3.1.0",
"3.2.0",
"3.2.1",
"3.2.2",
"3.3.0",
"4.0.0",
"4.1.0",
"4.2.0",
"4.2.1",
"4.2.2",
"5.0.0",
"5.0.1",
"5.1.0",
"6.0.0",
"6.0.1",
"6.0.2",
"6.1.0",
"7.0.0",
"7.1.0",
"7.2.0",
"7.2.1",
"7.2.2",
"7.2.3",
"8.0.0",
"8.0.1",
"8.0.2",
"8.1.0",
"8.2.0"
]
}
],
"aliases": [
"CVE-2019-10141"
],
"details": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"id": "PYSEC-2019-152",
"modified": "2021-07-05T00:01:21.998814Z",
"published": "2019-07-30T17:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
]
}
GSD-2019-10141
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-10141",
"description": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"id": "GSD-2019-10141",
"references": [
"https://access.redhat.com/errata/RHSA-2019:2505",
"https://access.redhat.com/errata/RHSA-2019:1734",
"https://access.redhat.com/errata/RHSA-2019:1722",
"https://access.redhat.com/errata/RHSA-2019:1669"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-10141"
],
"details": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"id": "GSD-2019-10141",
"modified": "2023-12-13T01:23:58.937680Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-10141",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "openstack-ironic-inspector",
"version": {
"version_data": [
{
"version_value": "all 5.0.x up to, excluding 5.0.2"
},
{
"version_value": "all 6.0.x up to, excluding 6.0.3"
},
{
"version_value": "all 7.2.x up to, excluding 7.2.4"
},
{
"version_value": "all 8.0.3 up to, excluding 8.0.3"
},
{
"version_value": "8.2.0"
}
]
}
}
]
},
"vendor_name": "RedHat"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "8.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"name": "RHSA-2019:2505",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "7.2.4",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "8.2.1",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.0.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "8.0.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-10141"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"name": "RHSA-2019:2505",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2
}
},
"lastModifiedDate": "2021-08-04T17:15Z",
"publishedDate": "2019-07-30T17:15Z"
}
}
}
CNVD-2019-26257
Vulnerability from cnvd - Published: 2019-08-07
VLAI Severity ?
Title
openstack-ironic-inspector SQL注入漏洞
Description
openstack-ironic-inspector是一款硬件检测守护程序。该程序主要用于检测由OpenStack Ironic管理的节点的硬件属性。
openstack-ironic-inspector中的‘node_cache.find_node()’函数存在SQL注入漏洞。该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
Severity
高
Patch Name
openstack-ironic-inspector SQL注入漏洞的补丁
Patch Description
openstack-ironic-inspector是一款硬件检测守护程序。该程序主要用于检测由OpenStack Ironic管理的节点的硬件属性。
openstack-ironic-inspector中的‘node_cache.find_node()’函数存在SQL注入漏洞。该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://review.opendev.org/#/c/660234/
Reference
https://access.redhat.com/errata/RHSA-2019:1734
Impacted products
| Name | openstack-ironic-inspector openstack-ironic-inspector |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2019-10141",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
}
},
"description": "openstack-ironic-inspector\u662f\u4e00\u6b3e\u786c\u4ef6\u68c0\u6d4b\u5b88\u62a4\u7a0b\u5e8f\u3002\u8be5\u7a0b\u5e8f\u4e3b\u8981\u7528\u4e8e\u68c0\u6d4b\u7531OpenStack Ironic\u7ba1\u7406\u7684\u8282\u70b9\u7684\u786c\u4ef6\u5c5e\u6027\u3002\n\nopenstack-ironic-inspector\u4e2d\u7684\u2018node_cache.find_node()\u2019\u51fd\u6570\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u57fa\u4e8e\u6570\u636e\u5e93\u7684\u5e94\u7528\u7f3a\u5c11\u5bf9\u5916\u90e8\u8f93\u5165SQL\u8bed\u53e5\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u975e\u6cd5SQL\u547d\u4ee4\u3002",
"discovererName": "Summer Long",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://review.opendev.org/#/c/660234/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2019-26257",
"openTime": "2019-08-07",
"patchDescription": "openstack-ironic-inspector\u662f\u4e00\u6b3e\u786c\u4ef6\u68c0\u6d4b\u5b88\u62a4\u7a0b\u5e8f\u3002\u8be5\u7a0b\u5e8f\u4e3b\u8981\u7528\u4e8e\u68c0\u6d4b\u7531OpenStack Ironic\u7ba1\u7406\u7684\u8282\u70b9\u7684\u786c\u4ef6\u5c5e\u6027\u3002\r\n\r\nopenstack-ironic-inspector\u4e2d\u7684\u2018node_cache.find_node()\u2019\u51fd\u6570\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u57fa\u4e8e\u6570\u636e\u5e93\u7684\u5e94\u7528\u7f3a\u5c11\u5bf9\u5916\u90e8\u8f93\u5165SQL\u8bed\u53e5\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u975e\u6cd5SQL\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "openstack-ironic-inspector SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "openstack-ironic-inspector openstack-ironic-inspector"
},
"referenceLink": "https://access.redhat.com/errata/RHSA-2019:1734",
"serverity": "\u9ad8",
"submitTime": "2019-08-05",
"title": "openstack-ironic-inspector SQL\u6ce8\u5165\u6f0f\u6d1e"
}
FKIE_CVE-2019-10141
Vulnerability from fkie_nvd - Published: 2019-07-30 17:15 - Updated: 2024-11-21 04:18
Severity ?
8.3 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
9.1 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
9.1 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2019:2505 | ||
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141 | Issue Tracking, Patch, Third Party Advisory | |
| secalert@redhat.com | https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata | Release Notes, Vendor Advisory | |
| secalert@redhat.com | https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike | Release Notes, Vendor Advisory | |
| secalert@redhat.com | https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens | Release Notes, Vendor Advisory | |
| secalert@redhat.com | https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky | Release Notes, Vendor Advisory | |
| secalert@redhat.com | https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2019:2505 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openstack | ironic-inspector | * | |
| openstack | ironic-inspector | * | |
| openstack | ironic-inspector | * | |
| openstack | ironic-inspector | * | |
| openstack | ironic-inspector | * | |
| redhat | openstack | 10 | |
| redhat | openstack | 13 | |
| redhat | openstack | 14 | |
| redhat | openstack | 9 | |
| redhat | enterprise_linux | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1148EC36-0766-4080-AC70-7C384D8A41BC",
"versionEndExcluding": "5.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E8F90AF2-9A18-40F8-BBAF-51D1727142FE",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77B95F6A-6F21-433A-B8C3-D7EA91312E62",
"versionEndExcluding": "7.2.4",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E9C414C8-F67E-4C60-BCC7-6CE2C0B552C8",
"versionEndExcluding": "8.0.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79F2C939-0CC0-444A-A313-A52A14CA7B0E",
"versionEndExcluding": "8.2.1",
"versionStartIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*",
"matchCriteriaId": "E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*",
"matchCriteriaId": "704CFA1A-953E-4105-BFBE-406034B83DED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*",
"matchCriteriaId": "EB7F358B-5E56-41AB-BB8A-23D3CB7A248B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*",
"matchCriteriaId": "F40C26BE-56CB-4022-A1D8-3CA0A8F87F4B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service."
},
{
"lang": "es",
"value": "Se detect\u00f3 una vulnerabilidad en ironic-inspector de openstack en todas las versiones, excluyendo a la 5.0.2, 6.0.3, 7.2.4, 8.0.3 y 8.2.1. Se detect\u00f3 una vulnerabilidad de inyecci\u00f3n SQL en la funci\u00f3n node_cache.find_node() de ironic-inspector de openstack. Esta funci\u00f3n realiza una consulta SQL usando datos sin filtrar de un servidor que informa los resultados de la inspecci\u00f3n (mediante una POST hacia el endpoint /v1/continue). Porque la API no est\u00e1 autenticada, el fallo podr\u00eda ser explotado por un atacante con acceso a la red en la que ironic-inspector es detectado. Debido a que ironic-inspector usa los resultados de la consulta, es poco probable que se puedan obtener datos. Sin embargo, el atacante podr\u00eda pasar datos maliciosos y crear una denegaci\u00f3n de servicio."
}
],
"id": "CVE-2019-10141",
"lastModified": "2024-11-21T04:18:30.227",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.5,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-30T17:15:12.453",
"references": [
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-C7FC-CM7P-92R2
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-09-27 15:56
VLAI?
Summary
Openstack ironic-inspector has SQL injection vulnerability in node_cache
Details
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "6.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "7.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "8.1.0"
},
{
"fixed": "8.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10141"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-29T09:48:45Z",
"nvd_published_at": "2019-07-30T17:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"id": "GHSA-c7fc-cm7p-92r2",
"modified": "2024-09-27T15:56:03Z",
"published": "2022-05-24T16:51:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"type": "WEB",
"url": "https://github.com/openstack/ironic-inspector/commit/17c796b49171b6133e988f78c92d7c9b7ed3fcf3"
},
{
"type": "WEB",
"url": "https://github.com/openstack/ironic-inspector/commit/67ff87ebca1016d44bd9d284ec4c16a88a533cfc"
},
{
"type": "WEB",
"url": "https://github.com/openstack/ironic-inspector/commit/97f9d34f8376ac7accd2597b3bdce67a9dac664f"
},
{
"type": "WEB",
"url": "https://github.com/openstack/ironic-inspector/commit/9d107900b2e0b599397b84409580d46e0ed16291"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/ironic-inspector"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ironic-inspector/PYSEC-2019-152.yaml"
},
{
"type": "WEB",
"url": "https://review.opendev.org/c/openstack/ironic-inspector/+/660234"
},
{
"type": "WEB",
"url": "https://storyboard.openstack.org/#!/story/2005678"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Openstack ironic-inspector has SQL injection vulnerability in node_cache"
}
BDU:2019-02967
Vulnerability from fstec - Published: 15.05.2019
VLAI Severity ?
Title
Уязвимость функции node_cache.find_node() демона аппаратного самоанализа Ironic Inspector платформы для создания облачных сервисов OpenStack, позволяющая нарушителю вызвать отказ в обслуживании
Description
Уязвимость функции node_cache.find_node() демона аппаратного самоанализа Ironic Inspector SDN-платформы OpenStack связана с непринятием мер по защите структуры запроса SQL. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании
Severity ?
Vendor
Red Hat Inc., Сообщество свободного программного обеспечения
Software Name
Red Hat OpenStack Platform, Ironic Inspector
Software Version
9.0 (Red Hat OpenStack Platform), 10.0 (Red Hat OpenStack Platform), 13.0 (Red Hat OpenStack Platform), 14.0 (Red Hat OpenStack Platform), до 5.0.2 (Ironic Inspector), от 5.1.0 до 6.0.3 (Ironic Inspector), от 6.1.0 до 7.2.4 (Ironic Inspector), от 8.0.0 до 8.0.3 (Ironic Inspector), от 8.1.0 до 8.2.1 (Ironic Inspector)
Possible Mitigations
Использование рекомендаций:
Для Ironic Inspector:
https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata
https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike
https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens
https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky
https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein
Для программных продуктов Red Hat Inc.:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141
Reference
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141
https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata
https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike
https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens
https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky
https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein
https://access.redhat.com/security/cve/cve-2019-10141
CWE
CWE-89
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:C/A:C",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Red Hat Inc., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "9.0 (Red Hat OpenStack Platform), 10.0 (Red Hat OpenStack Platform), 13.0 (Red Hat OpenStack Platform), 14.0 (Red Hat OpenStack Platform), \u0434\u043e 5.0.2 (Ironic Inspector), \u043e\u0442 5.1.0 \u0434\u043e 6.0.3 (Ironic Inspector), \u043e\u0442 6.1.0 \u0434\u043e 7.2.4 (Ironic Inspector), \u043e\u0442 8.0.0 \u0434\u043e 8.0.3 (Ironic Inspector), \u043e\u0442 8.1.0 \u0434\u043e 8.2.1 (Ironic Inspector)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Ironic Inspector:\nhttps://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata \nhttps://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike \nhttps://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens \nhttps://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky \nhttps://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "15.05.2019",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "23.03.2021",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "22.08.2019",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2019-02967",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2019-10141",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Red Hat OpenStack Platform, Ironic Inspector",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 node_cache.find_node() \u0434\u0435\u043c\u043e\u043d\u0430 \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0430\u043c\u043e\u0430\u043d\u0430\u043b\u0438\u0437\u0430 Ironic Inspector \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u043e\u0431\u043b\u0430\u0447\u043d\u044b\u0445 \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432 OpenStack, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0437\u0430\u043f\u0440\u043e\u0441\u0430 SQL (\u0430\u0442\u0430\u043a\u0438 \u0442\u0438\u043f\u0430 \\\"\u0432\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 SQL\\\") (CWE-89)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 node_cache.find_node() \u0434\u0435\u043c\u043e\u043d\u0430 \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0430\u043c\u043e\u0430\u043d\u0430\u043b\u0438\u0437\u0430 Ironic Inspector SDN-\u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b OpenStack \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435\u043c \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0437\u0430\u043f\u0440\u043e\u0441\u0430 SQL. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": "-",
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141\nhttps://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata\nhttps://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike\nhttps://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens\nhttps://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky\nhttps://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein\nhttps://access.redhat.com/security/cve/cve-2019-10141",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041f\u041e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-89",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,4)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,1)"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…