{ "data_type": "CVE", "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2019-10141", "ASSIGNER": "secalert@redhat.com", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "RedHat", "product": { "product_data": [ { "product_name": "openstack-ironic-inspector", "version": { "version_data": [ { "version_value": "all 5.0.x up to, excluding 5.0.2" }, { "version_value": "all 6.0.x up to, excluding 6.0.3" }, { "version_value": "all 7.2.x up to, excluding 7.2.4" }, { "version_value": "all 8.0.3 up to, excluding 8.0.3" }, { "version_value": "8.2.0" } ] } } ] } } ] } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89" } ] } ] }, "references": { "reference_data": [ { "url": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky", "refsource": "MISC", "name": "https://docs.openstack.org/releasenotes/ironic-inspector/rocky.html#relnotes-8-0-3-stable-rocky" }, { "url": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein", "refsource": "MISC", "name": "https://docs.openstack.org/releasenotes/ironic-inspector/stein.html#relnotes-8-2-1-stable-stein" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141", "refsource": "CONFIRM" }, { "url": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata", "refsource": "MISC", "name": "https://docs.openstack.org/releasenotes/ironic-inspector/ocata.html#relnotes-5-0-2-7-origin-stable-ocata" }, { "url": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike", "refsource": "MISC", "name": "https://docs.openstack.org/releasenotes/ironic-inspector/pike.html#relnotes-6-0-3-4-stable-pike" }, { "url": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens", "refsource": "MISC", "name": "https://docs.openstack.org/releasenotes/ironic-inspector/queens.html#relnotes-7-2-4-stable-queens" }, { "refsource": "REDHAT", "name": "RHSA-2019:2505", "url": "https://access.redhat.com/errata/RHSA-2019:2505" } ] }, "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service." } ] }, "impact": { "cvss": [ [ { "vectorString": "8.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "version": "3.0" } ] ] } }