CVE-2019-10141
moderate-risk
Published 2019-07-30
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
Do I need to act?
-
0.56% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.3/10
High
NETWORK
/ LOW complexity
References (14)
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10141
43
/ 100
moderate-risk
Severity
29/34 · Critical
Exploitability
2/34 · Minimal
Exposure
12/34 · Low