CVE-2019-10141

Name of the Vulnerable Software and Affected Versions openstack-ironic-inspector versions prior to 5.0.2 openstack-ironic-inspector versions prior to 6.0.3 openstack-ironic-inspector versions prior to 7.2.4 openstack-ironic-inspector versions prior to 8.0.3 openstack-ironic-inspector versions prior to 8.2.1

Description A SQL-injection issue was found in the node cache.find node() function of openstack-ironic-inspector. This function constructs a SQL query using unfiltered data from a server reporting inspection results via a POST to the "/v1/continue" endpoint. Since the API is unauthenticated, an attacker with network access could exploit this flaw. Although it is unlikely that data could be obtained due to how the query results are used, an attacker could pass malicious data to create a denial of service.

Recommendations For versions prior to 5.0.2, update to version 5.0.2 or later. For versions prior to 6.0.3, update to version 6.0.3 or later. For versions prior to 7.2.4, update to version 7.2.4 or later. For versions prior to 8.0.3, update to version 8.0.3 or later. For versions prior to 8.2.1, update to version 8.2.1 or later. As a temporary workaround, consider restricting access to the "/v1/continue" endpoint to minimize the risk of exploitation.