Miggo Logo
Miggo Vulnerability Database
CVE-2019-10138

CVE-2019-10138: Improper Access Control in novajoin

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-10138
GHSA ID
GHSA-xf8c-3cgx-fcwm
EPSS Score
0.63432%
CWE
CWE-284
Published
3/12/2020
Updated
9/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
novajoinpip<= 1.1.01.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing access control on the novajoin API endpoint for FreeIPA token generation. In OpenStack services, API endpoints typically use policy decorators (e.g., @policy.enforce) to restrict access. The fix in the referenced commit (https://review.opendev.org/#/c/631240/) likely added these checks to the token generation handler. The function TokenController.create is a standard name for such an endpoint handler in RESTful APIs, and its absence of policy enforcement before the patch would directly cause the vulnerability. This aligns with the CVE's description of insufficient access control.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *is*ov*r** in t** pyt*on-nov*join plu*in, *ll v*rsions up to, *x*lu*in* *.*.*, *or R** **t Op*nSt**k Pl*t*orm. T** nov*join *PI l**k** su**i*i*nt ****ss *ontrol, *llowin* *ny k*yston* *ut**nti**t** us*r to **n*r*t* *r**IP* tok*ns.

Reasoning

T** vuln*r**ility st*ms *rom missin* ****ss *ontrol on t** nov*join *PI *n*point *or *r**IP* tok*n **n*r*tion. In Op*nSt**k s*rvi**s, *PI *n*points typi**lly us* poli*y ***or*tors (*.*., `@poli*y.*n*or**`) to r*stri*t ****ss. T** *ix in t** r***r*n**