8.3

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-10141

GHSA ID

GHSA-c7fc-cm7p-92r2

EPSS Score

0.74689%

CWE

CWE-89

Published

5/24/2022

Updated

9/27/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10141

CVE-2019-10141: Openstack ironic-inspector has SQL injection vulnerability in node_cache

A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2019-10141

CVE-2019-10141:

8.3

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-10141

GHSA ID

GHSA-c7fc-cm7p-92r2

EPSS Score

0.74689%

CWE

CWE-89

Published

5/24/2022

Updated

9/27/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ironic-inspector	pip	< 5.0.2	5.0.2
ironic-inspector	pip	>= 5.1.0, < 6.0.3	6.0.3
ironic-inspector	pip

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly names node_cache.find_node() as the vulnerable function. The commit diff shows this function previously built SQL queries via string concatenation (using 'text(stmt)') with user-controlled 'name' and 'value' parameters. The added test case 'test_input_filtering' specifically checks for SQL injection patterns, and the commit message states the fix was to replace raw SQL with SQLAlchemy's parameterized query builder.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2019-10141: Openstack ironic-inspector has SQL injection vulnerability in node_cache

CVE-2019-10141:

8.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

8.3

8.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-10141: Openstack ironic-inspector has SQL injection vulnerability in node_cache

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI