CVE-2019-10138: Improper Access Control in novajoin
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.63432%
CWE
Published
3/12/2020
Updated
9/26/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
novajoin | pip | <= 1.1.0 | 1.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing access control on the novajoin API endpoint for FreeIPA token generation. In OpenStack services, API endpoints typically use policy decorators (e.g., @policy.enforce
) to restrict access. The fix in the referenced commit (https://review.opendev.org/#/c/631240/) likely added these checks to the token generation handler. The function TokenController.create
is a standard name for such an endpoint handler in RESTful APIs, and its absence of policy enforcement before the patch would directly cause the vulnerability. This aligns with the CVE's description of insufficient access control.