PYSEC-2019-152

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/ironic-inspector/PYSEC-2019-152.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2019-152

Aliases

Published

2019-07-30T17:15:00Z

Modified

2024-04-29T10:12:23.060504Z

Summary

[none]

Details

A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's nodecache.findnode(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.

References

Affected packages

PyPI / ironic-inspector

Package

Name: ironic-inspector; View open source insights on deps.dev
Purl: pkg:pypi/ironic-inspector

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

7.2.4

Introduced

8.1.0

Fixed

8.2.1

Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.2

Introduced

5.1.0

Fixed

6.0.3

Introduced

8.0.0

Fixed

8.0.3

Affected versions

2.*

2.0.0

2.0.1

2.1.0

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.3.0

3.*

3.0.0

3.1.0

3.2.0

3.2.1

3.2.2

3.3.0

4.*

4.0.0

4.1.0

4.2.0

4.2.1

4.2.2

5.*

5.0.0

5.0.1

5.1.0

6.*

6.0.0

6.0.1

6.0.2

6.1.0

7.*

7.0.0

7.1.0

7.2.0

7.2.1

7.2.2

7.2.3

8.*

8.0.0

8.0.1

8.0.2

8.1.0

8.2.0