CVE-2019-10141: Openstack ironic-inspector has SQL injection vulnerability in node_cache
8.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.74689%
CWE
Published
5/24/2022
Updated
9/27/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| ironic-inspector | pip | < 5.0.2 | 5.0.2 |
| ironic-inspector | pip | >= 5.1.0, < 6.0.3 | 6.0.3 |
| ironic-inspector | pip | >= 6.1.0, < 7.2.4 | 7.2.4 |
| ironic-inspector | pip | >= 8.0.0, < 8.0.3 | 8.0.3 |
| ironic-inspector | pip | >= 8.1.0, < 8.2.1 | 8.2.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly names node_cache.find_node() as the vulnerable function. The commit diff shows this function previously built SQL queries via string concatenation (using 'text(stmt)') with user-controlled 'name' and 'value' parameters. The added test case 'test_input_filtering' specifically checks for SQL injection patterns, and the commit message states the fix was to replace raw SQL with SQLAlchemy's parameterized query builder.