Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2019-10141
Vulnerability from cvelistv5
Published
2019-07-30 16:22
Modified
2024-08-04 22:10
Severity ?
EPSS score ?
Summary
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | RedHat | openstack-ironic-inspector |
Version: all 5.0.x up to, excluding 5.0.2 Version: all 6.0.x up to, excluding 6.0.3 Version: all 7.2.x up to, excluding 7.2.4 Version: all 8.0.3 up to, excluding 8.0.3 Version: 8.2.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"name": "RHSA-2019:2505",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openstack-ironic-inspector",
"vendor": "RedHat",
"versions": [
{
"status": "affected",
"version": "all 5.0.x up to, excluding 5.0.2"
},
{
"status": "affected",
"version": "all 6.0.x up to, excluding 6.0.3"
},
{
"status": "affected",
"version": "all 7.2.x up to, excluding 7.2.4"
},
{
"status": "affected",
"version": "all 8.0.3 up to, excluding 8.0.3"
},
{
"status": "affected",
"version": "8.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-15T16:06:15",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"name": "RHSA-2019:2505",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-10141",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "openstack-ironic-inspector",
"version": {
"version_data": [
{
"version_value": "all 5.0.x up to, excluding 5.0.2"
},
{
"version_value": "all 6.0.x up to, excluding 6.0.3"
},
{
"version_value": "all 7.2.x up to, excluding 7.2.4"
},
{
"version_value": "all 8.0.3 up to, excluding 8.0.3"
},
{
"version_value": "8.2.0"
}
]
}
}
]
},
"vendor_name": "RedHat"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "8.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"name": "RHSA-2019:2505",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-10141",
"datePublished": "2019-07-30T16:22:59",
"dateReserved": "2019-03-27T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"5.0.2\", \"matchCriteriaId\": \"1148EC36-0766-4080-AC70-7C384D8A41BC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.1.0\", \"versionEndExcluding\": \"6.0.3\", \"matchCriteriaId\": \"E8F90AF2-9A18-40F8-BBAF-51D1727142FE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.1.0\", \"versionEndExcluding\": \"7.2.4\", \"matchCriteriaId\": \"77B95F6A-6F21-433A-B8C3-D7EA91312E62\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.0.0\", \"versionEndExcluding\": \"8.0.3\", \"matchCriteriaId\": \"E9C414C8-F67E-4C60-BCC7-6CE2C0B552C8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.1.0\", \"versionEndExcluding\": \"8.2.1\", \"matchCriteriaId\": \"79F2C939-0CC0-444A-A313-A52A14CA7B0E\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"704CFA1A-953E-4105-BFBE-406034B83DED\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EB7F358B-5E56-41AB-BB8A-23D3CB7A248B\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F40C26BE-56CB-4022-A1D8-3CA0A8F87F4B\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.\"}, {\"lang\": \"es\", \"value\": \"Se detect\\u00f3 una vulnerabilidad en ironic-inspector de openstack en todas las versiones, excluyendo a la 5.0.2, 6.0.3, 7.2.4, 8.0.3 y 8.2.1. Se detect\\u00f3 una vulnerabilidad de inyecci\\u00f3n SQL en la funci\\u00f3n node_cache.find_node() de ironic-inspector de openstack. Esta funci\\u00f3n realiza una consulta SQL usando datos sin filtrar de un servidor que informa los resultados de la inspecci\\u00f3n (mediante una POST hacia el endpoint /v1/continue). Porque la API no est\\u00e1 autenticada, el fallo podr\\u00eda ser explotado por un atacante con acceso a la red en la que ironic-inspector es detectado. Debido a que ironic-inspector usa los resultados de la consulta, es poco probable que se puedan obtener datos. Sin embargo, el atacante podr\\u00eda pasar datos maliciosos y crear una denegaci\\u00f3n de servicio.\"}]",
"id": "CVE-2019-10141",
"lastModified": "2024-11-21T04:18:30.227",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H\", \"baseScore\": 8.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:P\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2019-07-30T17:15:12.453",
"references": "[{\"url\": \"https://access.redhat.com/errata/RHSA-2019:2505\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2505\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-10141\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2019-07-30T17:15:12.453\",\"lastModified\":\"2024-11-21T04:18:30.227\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.\"},{\"lang\":\"es\",\"value\":\"Se detect\u00f3 una vulnerabilidad en ironic-inspector de openstack en todas las versiones, excluyendo a la 5.0.2, 6.0.3, 7.2.4, 8.0.3 y 8.2.1. Se detect\u00f3 una vulnerabilidad de inyecci\u00f3n SQL en la funci\u00f3n node_cache.find_node() de ironic-inspector de openstack. Esta funci\u00f3n realiza una consulta SQL usando datos sin filtrar de un servidor que informa los resultados de la inspecci\u00f3n (mediante una POST hacia el endpoint /v1/continue). Porque la API no est\u00e1 autenticada, el fallo podr\u00eda ser explotado por un atacante con acceso a la red en la que ironic-inspector es detectado. Debido a que ironic-inspector usa los resultados de la consulta, es poco probable que se puedan obtener datos. Sin embargo, el atacante podr\u00eda pasar datos maliciosos y crear una denegaci\u00f3n de servicio.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:P\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.0.2\",\"matchCriteriaId\":\"1148EC36-0766-4080-AC70-7C384D8A41BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.1.0\",\"versionEndExcluding\":\"6.0.3\",\"matchCriteriaId\":\"E8F90AF2-9A18-40F8-BBAF-51D1727142FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.0\",\"versionEndExcluding\":\"7.2.4\",\"matchCriteriaId\":\"77B95F6A-6F21-433A-B8C3-D7EA91312E62\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"8.0.3\",\"matchCriteriaId\":\"E9C414C8-F67E-4C60-BCC7-6CE2C0B552C8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.1.0\",\"versionEndExcluding\":\"8.2.1\",\"matchCriteriaId\":\"79F2C939-0CC0-444A-A313-A52A14CA7B0E\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"704CFA1A-953E-4105-BFBE-406034B83DED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB7F358B-5E56-41AB-BB8A-23D3CB7A248B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F40C26BE-56CB-4022-A1D8-3CA0A8F87F4B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2505\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2505\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}"
}
}
rhsa-2019:1722
Vulnerability from csaf_redhat
Published
2019-07-10 10:01
Modified
2024-11-15 03:11
Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Notes
Topic
An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
OpenStack Bare Metal (ironic) is a tool used to provision bare metal (as opposed to virtual) machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific, functionality.
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 10.0 (Newton).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Bare Metal (ironic) is a tool used to provision bare metal (as opposed to virtual) machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific, functionality.\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1722",
"url": "https://access.redhat.com/errata/RHSA-2019:1722"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1722.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:11:27+00:00",
"generator": {
"date": "2024-11-15T03:11:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:1722",
"initial_release_date": "2019-07-10T10:01:26+00:00",
"revision_history": [
{
"date": "2019-07-10T10:01:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-10T10:01:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:11:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 10.0",
"product": {
"name": "Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:10::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product_id": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@4.2.2-6.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@4.2.2-6.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-10T10:01:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1722"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
rhsa-2019:1734
Vulnerability from csaf_redhat
Published
2019-07-10 14:02
Modified
2024-11-15 03:11
Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Notes
Topic
An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 13.0 (Queens).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
ironic-inspector is an auxiliary service for discovering hardware properties for a node managed by Ironic. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).
Security Fix:
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 13.0 (Queens).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "ironic-inspector is an auxiliary service for discovering hardware properties for a node managed by Ironic. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).\n\nSecurity Fix:\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1734",
"url": "https://access.redhat.com/errata/RHSA-2019:1734"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "1717086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1717086"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1734.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:11:58+00:00",
"generator": {
"date": "2024-11-15T03:11:58+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:1734",
"initial_release_date": "2019-07-10T14:02:39+00:00",
"revision_history": [
{
"date": "2019-07-10T14:02:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-10T14:02:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:11:58+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 13.0",
"product": {
"name": "Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:13::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product_id": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@7.2.3-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@7.2.3-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-10T14:02:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1734"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
rhsa-2019_1734
Vulnerability from csaf_redhat
Published
2019-07-10 14:02
Modified
2024-11-15 03:11
Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Notes
Topic
An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 13.0 (Queens).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
ironic-inspector is an auxiliary service for discovering hardware properties for a node managed by Ironic. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).
Security Fix:
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 13.0 (Queens).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "ironic-inspector is an auxiliary service for discovering hardware properties for a node managed by Ironic. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).\n\nSecurity Fix:\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1734",
"url": "https://access.redhat.com/errata/RHSA-2019:1734"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "1717086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1717086"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1734.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:11:58+00:00",
"generator": {
"date": "2024-11-15T03:11:58+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:1734",
"initial_release_date": "2019-07-10T14:02:39+00:00",
"revision_history": [
{
"date": "2019-07-10T14:02:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-10T14:02:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:11:58+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 13.0",
"product": {
"name": "Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:13::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product_id": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@7.2.3-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@7.2.3-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-10T14:02:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1734"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
RHSA-2019:1669
Vulnerability from csaf_redhat
Published
2019-07-02 19:45
Modified
2024-11-15 03:11
Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Notes
Topic
An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 14.0 (Rocky).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Nodes managed by Ironic may use the ironic-inspector auxiliary service to discover hardware properties. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 14.0 (Rocky).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Nodes managed by Ironic may use the ironic-inspector auxiliary service to discover hardware properties. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1669",
"url": "https://access.redhat.com/errata/RHSA-2019:1669"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "1712027",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712027"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1669.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:11:22+00:00",
"generator": {
"date": "2024-11-15T03:11:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:1669",
"initial_release_date": "2019-07-02T19:45:37+00:00",
"revision_history": [
{
"date": "2019-07-02T19:45:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-02T19:45:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:11:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 14.0",
"product": {
"name": "Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:14::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product_id": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@8.0.3-0.20190420013817.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@8.0.3-0.20190420013817.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch as a component of Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-14.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src as a component of Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-14.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-02T19:45:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
rhsa-2019:1669
Vulnerability from csaf_redhat
Published
2019-07-02 19:45
Modified
2024-11-15 03:11
Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Notes
Topic
An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 14.0 (Rocky).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Nodes managed by Ironic may use the ironic-inspector auxiliary service to discover hardware properties. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 14.0 (Rocky).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Nodes managed by Ironic may use the ironic-inspector auxiliary service to discover hardware properties. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1669",
"url": "https://access.redhat.com/errata/RHSA-2019:1669"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "1712027",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712027"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1669.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:11:22+00:00",
"generator": {
"date": "2024-11-15T03:11:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:1669",
"initial_release_date": "2019-07-02T19:45:37+00:00",
"revision_history": [
{
"date": "2019-07-02T19:45:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-02T19:45:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:11:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 14.0",
"product": {
"name": "Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:14::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product_id": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@8.0.3-0.20190420013817.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@8.0.3-0.20190420013817.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch as a component of Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-14.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src as a component of Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-14.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-02T19:45:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
rhsa-2019:2505
Vulnerability from csaf_redhat
Published
2019-08-15 16:02
Modified
2024-11-15 03:13
Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Notes
Topic
An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
ironic-inspector is an auxiliary service for discovering hardware
properties for a node managed by Ironic. Hardware introspection or hardware
properties discovery is a process of getting hardware parameters required
for scheduling from a bare metal node, given its power management
credentials (e.g. IPMI address, user name and password).
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "ironic-inspector is an auxiliary service for discovering hardware\nproperties for a node managed by Ironic. Hardware introspection or hardware\nproperties discovery is a process of getting hardware parameters required\nfor scheduling from a bare metal node, given its power management\ncredentials (e.g. IPMI address, user name and password).\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2505",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2505.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:13:23+00:00",
"generator": {
"date": "2024-11-15T03:13:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:2505",
"initial_release_date": "2019-08-15T16:02:36+00:00",
"revision_history": [
{
"date": "2019-08-15T16:02:36+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-15T16:02:36+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:13:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 9.0 Director for RHEL 7",
"product": {
"name": "OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:9::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@3.2.2-5.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product_id": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector-doc@3.2.2-5.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product_id": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@3.2.2-5.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-15T16:02:36+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
RHSA-2019:1734
Vulnerability from csaf_redhat
Published
2019-07-10 14:02
Modified
2024-11-15 03:11
Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Notes
Topic
An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 13.0 (Queens).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
ironic-inspector is an auxiliary service for discovering hardware properties for a node managed by Ironic. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).
Security Fix:
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 13.0 (Queens).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "ironic-inspector is an auxiliary service for discovering hardware properties for a node managed by Ironic. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).\n\nSecurity Fix:\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1734",
"url": "https://access.redhat.com/errata/RHSA-2019:1734"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "1717086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1717086"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1734.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:11:58+00:00",
"generator": {
"date": "2024-11-15T03:11:58+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:1734",
"initial_release_date": "2019-07-10T14:02:39+00:00",
"revision_history": [
{
"date": "2019-07-10T14:02:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-10T14:02:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:11:58+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 13.0",
"product": {
"name": "Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:13::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product_id": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@7.2.3-3.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@7.2.3-3.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:7.2.3-3.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-10T14:02:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1734"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-ironic-inspector-0:7.2.3-3.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
RHSA-2019:1722
Vulnerability from csaf_redhat
Published
2019-07-10 10:01
Modified
2024-11-15 03:11
Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Notes
Topic
An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
OpenStack Bare Metal (ironic) is a tool used to provision bare metal (as opposed to virtual) machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific, functionality.
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 10.0 (Newton).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Bare Metal (ironic) is a tool used to provision bare metal (as opposed to virtual) machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific, functionality.\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1722",
"url": "https://access.redhat.com/errata/RHSA-2019:1722"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1722.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:11:27+00:00",
"generator": {
"date": "2024-11-15T03:11:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:1722",
"initial_release_date": "2019-07-10T10:01:26+00:00",
"revision_history": [
{
"date": "2019-07-10T10:01:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-10T10:01:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:11:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 10.0",
"product": {
"name": "Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:10::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product_id": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@4.2.2-6.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@4.2.2-6.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-10T10:01:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1722"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
rhsa-2019_1669
Vulnerability from csaf_redhat
Published
2019-07-02 19:45
Modified
2024-11-15 03:11
Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Notes
Topic
An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 14.0 (Rocky).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Nodes managed by Ironic may use the ironic-inspector auxiliary service to discover hardware properties. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 14.0 (Rocky).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Nodes managed by Ironic may use the ironic-inspector auxiliary service to discover hardware properties. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password).\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1669",
"url": "https://access.redhat.com/errata/RHSA-2019:1669"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "1712027",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712027"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1669.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:11:22+00:00",
"generator": {
"date": "2024-11-15T03:11:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:1669",
"initial_release_date": "2019-07-02T19:45:37+00:00",
"revision_history": [
{
"date": "2019-07-02T19:45:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-02T19:45:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:11:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 14.0",
"product": {
"name": "Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:14::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product_id": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@8.0.3-0.20190420013817.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@8.0.3-0.20190420013817.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch as a component of Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-14.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src as a component of Red Hat OpenStack Platform 14.0",
"product_id": "7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-14.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-02T19:45:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.noarch",
"7Server-RH7-RHOS-14.0:openstack-ironic-inspector-0:8.0.3-0.20190420013817.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
rhsa-2019_2505
Vulnerability from csaf_redhat
Published
2019-08-15 16:02
Modified
2024-11-15 03:13
Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Notes
Topic
An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
ironic-inspector is an auxiliary service for discovering hardware
properties for a node managed by Ironic. Hardware introspection or hardware
properties discovery is a process of getting hardware parameters required
for scheduling from a bare metal node, given its power management
credentials (e.g. IPMI address, user name and password).
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "ironic-inspector is an auxiliary service for discovering hardware\nproperties for a node managed by Ironic. Hardware introspection or hardware\nproperties discovery is a process of getting hardware parameters required\nfor scheduling from a bare metal node, given its power management\ncredentials (e.g. IPMI address, user name and password).\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2505",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2505.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:13:23+00:00",
"generator": {
"date": "2024-11-15T03:13:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:2505",
"initial_release_date": "2019-08-15T16:02:36+00:00",
"revision_history": [
{
"date": "2019-08-15T16:02:36+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-15T16:02:36+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:13:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 9.0 Director for RHEL 7",
"product": {
"name": "OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:9::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@3.2.2-5.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product_id": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector-doc@3.2.2-5.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product_id": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@3.2.2-5.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-15T16:02:36+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
rhsa-2019_1722
Vulnerability from csaf_redhat
Published
2019-07-10 10:01
Modified
2024-11-15 03:11
Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Notes
Topic
An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
OpenStack Bare Metal (ironic) is a tool used to provision bare metal (as opposed to virtual) machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific, functionality.
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 10.0 (Newton).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Bare Metal (ironic) is a tool used to provision bare metal (as opposed to virtual) machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific, functionality.\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1722",
"url": "https://access.redhat.com/errata/RHSA-2019:1722"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1722.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:11:27+00:00",
"generator": {
"date": "2024-11-15T03:11:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:1722",
"initial_release_date": "2019-07-10T10:01:26+00:00",
"revision_history": [
{
"date": "2019-07-10T10:01:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-10T10:01:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:11:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 10.0",
"product": {
"name": "Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:10::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product_id": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@4.2.2-6.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@4.2.2-6.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src as a component of Red Hat OpenStack Platform 10.0",
"product_id": "7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:4.2.2-6.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-10.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-10T10:01:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1722"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.noarch",
"7Server-RH7-RHOS-10.0:openstack-ironic-inspector-0:4.2.2-6.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
RHSA-2019:2505
Vulnerability from csaf_redhat
Published
2019-08-15 16:02
Modified
2024-11-15 03:13
Summary
Red Hat Security Advisory: openstack-ironic-inspector security update
Notes
Topic
An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
ironic-inspector is an auxiliary service for discovering hardware
properties for a node managed by Ironic. Hardware introspection or hardware
properties discovery is a process of getting hardware parameters required
for scheduling from a bare metal node, given its power management
credentials (e.g. IPMI address, user name and password).
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 9.0 (Mitaka) director.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "ironic-inspector is an auxiliary service for discovering hardware\nproperties for a node managed by Ironic. Hardware introspection or hardware\nproperties discovery is a process of getting hardware parameters required\nfor scheduling from a bare metal node, given its power management\ncredentials (e.g. IPMI address, user name and password).\n\nSecurity Fix(es):\n\n* openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2505",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2505.json"
}
],
"title": "Red Hat Security Advisory: openstack-ironic-inspector security update",
"tracking": {
"current_release_date": "2024-11-15T03:13:23+00:00",
"generator": {
"date": "2024-11-15T03:13:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:2505",
"initial_release_date": "2019-08-15T16:02:36+00:00",
"revision_history": [
{
"date": "2019-08-15T16:02:36+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-15T16:02:36+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:13:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenStack 9.0 Director for RHEL 7",
"product": {
"name": "OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-director:9::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product_id": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@3.2.2-5.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product": {
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product_id": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector-doc@3.2.2-5.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product_id": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-inspector@3.2.2-5.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src"
},
"product_reference": "openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch as a component of OpenStack 9.0 Director for RHEL 7",
"product_id": "7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
},
"product_reference": "openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0-Director"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Zane Bitter"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10141",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2019-05-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1711722"
}
],
"notes": [
{
"category": "description",
"text": "A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10141"
},
{
"category": "external",
"summary": "RHBZ#1711722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1711722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10141",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"category": "external",
"summary": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"release_date": "2019-05-15T03:50:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-15T16:02:36+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.noarch",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-0:3.2.2-5.el7ost.src",
"7Server-RH7-RHOS-9.0-Director:openstack-ironic-inspector-doc-0:3.2.2-5.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data"
}
]
}
gsd-2019-10141
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-10141",
"description": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"id": "GSD-2019-10141",
"references": [
"https://access.redhat.com/errata/RHSA-2019:2505",
"https://access.redhat.com/errata/RHSA-2019:1734",
"https://access.redhat.com/errata/RHSA-2019:1722",
"https://access.redhat.com/errata/RHSA-2019:1669"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-10141"
],
"details": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"id": "GSD-2019-10141",
"modified": "2023-12-13T01:23:58.937680Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-10141",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "openstack-ironic-inspector",
"version": {
"version_data": [
{
"version_value": "all 5.0.x up to, excluding 5.0.2"
},
{
"version_value": "all 6.0.x up to, excluding 6.0.3"
},
{
"version_value": "all 7.2.x up to, excluding 7.2.4"
},
{
"version_value": "all 8.0.3 up to, excluding 8.0.3"
},
{
"version_value": "8.2.0"
}
]
}
}
]
},
"vendor_name": "RedHat"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "8.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"refsource": "MISC",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"name": "RHSA-2019:2505",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "7.2.4",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "8.2.1",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.0.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "8.0.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-10141"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"name": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"name": "RHSA-2019:2505",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2
}
},
"lastModifiedDate": "2021-08-04T17:15Z",
"publishedDate": "2019-07-30T17:15Z"
}
}
}
pysec-2019-152
Vulnerability from pysec
Published
2019-07-30 17:15
Modified
2021-07-05 00:01
Details
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector",
"purl": "pkg:pypi/ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "7.2.4"
},
{
"introduced": "8.1.0"
},
{
"fixed": "8.2.1"
},
{
"introduced": "0"
},
{
"fixed": "5.0.2"
},
{
"introduced": "5.1.0"
},
{
"fixed": "6.0.3"
},
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0.0",
"2.0.1",
"2.1.0",
"2.2.0",
"2.2.1",
"2.2.2",
"2.2.3",
"2.2.4",
"2.2.5",
"2.2.6",
"2.2.7",
"2.3.0",
"3.0.0",
"3.1.0",
"3.2.0",
"3.2.1",
"3.2.2",
"3.3.0",
"4.0.0",
"4.1.0",
"4.2.0",
"4.2.1",
"4.2.2",
"5.0.0",
"5.0.1",
"5.1.0",
"6.0.0",
"6.0.1",
"6.0.2",
"6.1.0",
"7.0.0",
"7.1.0",
"7.2.0",
"7.2.1",
"7.2.2",
"7.2.3",
"8.0.0",
"8.0.1",
"8.0.2",
"8.1.0",
"8.2.0"
]
}
],
"aliases": [
"CVE-2019-10141"
],
"details": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"id": "PYSEC-2019-152",
"modified": "2021-07-05T00:01:21.998814Z",
"published": "2019-07-30T17:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
}
]
}
ghsa-c7fc-cm7p-92r2
Vulnerability from github
Published
2022-05-24 16:51
Modified
2024-09-27 15:56
Severity ?
8.3 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
7.2 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
7.2 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Openstack ironic-inspector has SQL injection vulnerability in node_cache
Details
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "6.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "7.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ironic-inspector"
},
"ranges": [
{
"events": [
{
"introduced": "8.1.0"
},
{
"fixed": "8.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10141"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-29T09:48:45Z",
"nvd_published_at": "2019-07-30T17:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.",
"id": "GHSA-c7fc-cm7p-92r2",
"modified": "2024-09-27T15:56:03Z",
"published": "2022-05-24T16:51:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10141"
},
{
"type": "WEB",
"url": "https://github.com/openstack/ironic-inspector/commit/17c796b49171b6133e988f78c92d7c9b7ed3fcf3"
},
{
"type": "WEB",
"url": "https://github.com/openstack/ironic-inspector/commit/67ff87ebca1016d44bd9d284ec4c16a88a533cfc"
},
{
"type": "WEB",
"url": "https://github.com/openstack/ironic-inspector/commit/97f9d34f8376ac7accd2597b3bdce67a9dac664f"
},
{
"type": "WEB",
"url": "https://github.com/openstack/ironic-inspector/commit/9d107900b2e0b599397b84409580d46e0ed16291"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"type": "WEB",
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/ironic-inspector"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ironic-inspector/PYSEC-2019-152.yaml"
},
{
"type": "WEB",
"url": "https://review.opendev.org/c/openstack/ironic-inspector/+/660234"
},
{
"type": "WEB",
"url": "https://storyboard.openstack.org/#!/story/2005678"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Openstack ironic-inspector has SQL injection vulnerability in node_cache"
}
cve-2019-10141
Vulnerability from fkie_nvd
Published
2019-07-30 17:15
Modified
2024-11-21 04:18
Severity ?
8.3 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
9.1 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
9.1 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openstack | ironic-inspector | * | |
| openstack | ironic-inspector | * | |
| openstack | ironic-inspector | * | |
| openstack | ironic-inspector | * | |
| openstack | ironic-inspector | * | |
| redhat | openstack | 10 | |
| redhat | openstack | 13 | |
| redhat | openstack | 14 | |
| redhat | openstack | 9 | |
| redhat | enterprise_linux | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1148EC36-0766-4080-AC70-7C384D8A41BC",
"versionEndExcluding": "5.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E8F90AF2-9A18-40F8-BBAF-51D1727142FE",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77B95F6A-6F21-433A-B8C3-D7EA91312E62",
"versionEndExcluding": "7.2.4",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E9C414C8-F67E-4C60-BCC7-6CE2C0B552C8",
"versionEndExcluding": "8.0.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:ironic-inspector:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79F2C939-0CC0-444A-A313-A52A14CA7B0E",
"versionEndExcluding": "8.2.1",
"versionStartIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*",
"matchCriteriaId": "E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*",
"matchCriteriaId": "704CFA1A-953E-4105-BFBE-406034B83DED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*",
"matchCriteriaId": "EB7F358B-5E56-41AB-BB8A-23D3CB7A248B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*",
"matchCriteriaId": "F40C26BE-56CB-4022-A1D8-3CA0A8F87F4B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector\u0027s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service."
},
{
"lang": "es",
"value": "Se detect\u00f3 una vulnerabilidad en ironic-inspector de openstack en todas las versiones, excluyendo a la 5.0.2, 6.0.3, 7.2.4, 8.0.3 y 8.2.1. Se detect\u00f3 una vulnerabilidad de inyecci\u00f3n SQL en la funci\u00f3n node_cache.find_node() de ironic-inspector de openstack. Esta funci\u00f3n realiza una consulta SQL usando datos sin filtrar de un servidor que informa los resultados de la inspecci\u00f3n (mediante una POST hacia el endpoint /v1/continue). Porque la API no est\u00e1 autenticada, el fallo podr\u00eda ser explotado por un atacante con acceso a la red en la que ironic-inspector es detectado. Debido a que ironic-inspector usa los resultados de la consulta, es poco probable que se puedan obtener datos. Sin embargo, el atacante podr\u00eda pasar datos maliciosos y crear una denegaci\u00f3n de servicio."
}
],
"id": "CVE-2019-10141",
"lastModified": "2024-11-21T04:18:30.227",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.5,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-30T17:15:12.453",
"references": [
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:2505"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.