Grant Murphy (gmurphy) conducted an audit of OpenStack and reports the following potential SQL injection vulnerabilities:
[gm@localhost openstack]$ for q in SELECT WHERE INSERT UPDATE DELETE; do ack $q | grep '%'; done | grep -v test
swift/swift/common/db.py:379: SELECT ROWID FROM %s ORDER BY ROWID DESC LIMIT 1
swift/swift/common/db.py:424: SELECT * FROM %s WHERE ROWID > ? ORDER BY ROWID ASC LIMIT ?
swift/swift/common/db.py:440: "SELECT sync_point FROM %s_sync WHERE remote_id=?"
swift/swift/common/db.py:456: SELECT remote_id, sync_point FROM %s_sync
swift/swift/common/db.py:561: metadata = conn.execute('SELECT metadata FROM %s_stat' %
swift/swift/common/db.py:592: md = conn.execute('SELECT metadata FROM %s_stat' %
swift/swift/common/db.py:633: md = conn.execute('SELECT metadata FROM %s_stat' %
nova/nova/virt/hyperv/volumeutils.py:78: "WHERE TargetName='%s'" % target_iqn)
nova/nova/virt/hyperv/hostutils.py:66: "WHERE DeviceID='%s'"
nova/nova/virt/hyperv/basevolumeutils.py:123: "Class WHERE TargetName='%s'"
swift/swift/common/db.py:424: SELECT * FROM %s WHERE ROWID > ? ORDER BY ROWID ASC LIMIT ?
swift/swift/common/db.py:440: "SELECT sync_point FROM %s_sync WHERE remote_id=?"
nova/nova/db/sqlalchemy/migrate_repo/versions/152_change_type_of_deleted_column.py:40: return "INSERT INTO %s %s" % (
nova/nova/db/sqlalchemy/utils.py:64: return "INSERT INTO %s %s" % (
swift/swift/common/db.py:512: INSERT INTO %s_sync (sync_point, remote_id)
swift/swift/common/db.py:376: UPDATE %s_stat SET id=?
swift/swift/common/db.py:403: UPDATE %s_stat SET created_at=MIN(?, created_at),
swift/swift/common/db.py:518: UPDATE %s_sync SET sync_point=max(?, sync_point)
swift/swift/common/db.py:607: conn.execute('UPDATE %s_stat SET metadata = ?' % self.db_type,
swift/swift/common/db.py:644: conn.execute('UPDATE %s_stat SET metadata = ?' %
Upstream has been notified and investigation of these issues will be needed.
These may not be exploitable so no CVE for now.