Candidate: CVE-2019-10141
PublicDate: 2019-07-30 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10141
 https://review.opendev.org/#/c/660234/
 https://bugzilla.redhat.com/show_bug.cgi?id=1711722
Description:
 A vulnerability was found in openstack-ironic-inspector all versions
 excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection
 vulnerability was found in openstack-ironic-inspector's
 node_cache.find_node(). This function makes a SQL query using unfiltered
 data from a server reporting inspection results (by a POST to the
 /v1/continue endpoint). Because the API is unauthenticated, the flaw could
 be exploited by an attacker with access to the network on which
 ironic-inspector is listening. Because of how ironic-inspector uses the
 query results, it is unlikely that data could be obtained. However, the
 attacker could pass malicious data and create a denial of service.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H [9.1 CRITICAL]


Patches_ironic-inspector:
upstream_ironic-inspector: needs-triage
precise/esm_ironic-inspector: DNE
trusty_ironic-inspector: ignored (out of standard support)
trusty/esm_ironic-inspector: DNE
xenial_ironic-inspector: ignored (end of standard support, was needed)
bionic_ironic-inspector: needed
cosmic_ironic-inspector: ignored (reached end-of-life)
disco_ironic-inspector: ignored (reached end-of-life)
eoan_ironic-inspector: not-affected (8.0.0-3)
focal_ironic-inspector: not-affected (8.0.0-3)
groovy_ironic-inspector: not-affected (8.0.0-3)
hirsute_ironic-inspector: not-affected (8.0.0-3)
impish_ironic-inspector: not-affected (8.0.0-3)
jammy_ironic-inspector: not-affected (8.0.0-3)
devel_ironic-inspector: not-affected (8.0.0-3)