Grant Murphy (gmurphy) conducted an audit of OpenStack and reports the following potential SQL injection vulnerabilities:
[gm@localhost openstack]$ for q in SELECT WHERE INSERT UPDATE DELETE; do ack $q | grep '%'; done | grep -v test
swift/swift/common/db.py:379: SELECT ROWID FROM %s ORDER BY ROWID DESC LIMIT 1
swift/swift/common/db.py:424: SELECT * FROM %s WHERE ROWID > ? ORDER BY ROWID ASC LIMIT ?
swift/swift/common/db.py:440: "SELECT sync_point FROM %s_sync WHERE remote_id=?"
swift/swift/common/db.py:456: SELECT remote_id, sync_point FROM %s_sync
swift/swift/common/db.py:561: metadata = conn.execute('SELECT metadata FROM %s_stat' %
swift/swift/common/db.py:592: md = conn.execute('SELECT metadata FROM %s_stat' %
swift/swift/common/db.py:633: md = conn.execute('SELECT metadata FROM %s_stat' %
nova/nova/virt/hyperv/volumeutils.py:78: "WHERE TargetName='%s'" % target_iqn)
nova/nova/virt/hyperv/hostutils.py:66: "WHERE DeviceID='%s'"
nova/nova/virt/hyperv/basevolumeutils.py:123: "Class WHERE TargetName='%s'"
swift/swift/common/db.py:424: SELECT * FROM %s WHERE ROWID > ? ORDER BY ROWID ASC LIMIT ?
swift/swift/common/db.py:440: "SELECT sync_point FROM %s_sync WHERE remote_id=?"
nova/nova/db/sqlalchemy/migrate_repo/versions/152_change_type_of_deleted_column.py:40: return "INSERT INTO %s %s" % (
nova/nova/db/sqlalchemy/utils.py:64: return "INSERT INTO %s %s" % (
swift/swift/common/db.py:512: INSERT INTO %s_sync (sync_point, remote_id)
swift/swift/common/db.py:376: UPDATE %s_stat SET id=?
swift/swift/common/db.py:403: UPDATE %s_stat SET created_at=MIN(?, created_at),
swift/swift/common/db.py:518: UPDATE %s_sync SET sync_point=max(?, sync_point)
swift/swift/common/db.py:607: conn.execute('UPDATE %s_stat SET metadata = ?' % self.db_type,
swift/swift/common/db.py:644: conn.execute('UPDATE %s_stat SET metadata = ?' %
Upstream has been notified and investigation of these issues will be needed.
These may not be exploitable so no CVE for now.
Grant Murphy (gmurphy) conducted an audit of OpenStack and reports the following potential SQL injection vulnerabilities: [gm@localhost openstack]$ for q in SELECT WHERE INSERT UPDATE DELETE; do ack $q | grep '%'; done | grep -v test swift/swift/common/db.py:379: SELECT ROWID FROM %s ORDER BY ROWID DESC LIMIT 1 swift/swift/common/db.py:424: SELECT * FROM %s WHERE ROWID > ? ORDER BY ROWID ASC LIMIT ? swift/swift/common/db.py:440: "SELECT sync_point FROM %s_sync WHERE remote_id=?" swift/swift/common/db.py:456: SELECT remote_id, sync_point FROM %s_sync swift/swift/common/db.py:561: metadata = conn.execute('SELECT metadata FROM %s_stat' % swift/swift/common/db.py:592: md = conn.execute('SELECT metadata FROM %s_stat' % swift/swift/common/db.py:633: md = conn.execute('SELECT metadata FROM %s_stat' % nova/nova/virt/hyperv/volumeutils.py:78: "WHERE TargetName='%s'" % target_iqn) nova/nova/virt/hyperv/hostutils.py:66: "WHERE DeviceID='%s'" nova/nova/virt/hyperv/basevolumeutils.py:123: "Class WHERE TargetName='%s'" swift/swift/common/db.py:424: SELECT * FROM %s WHERE ROWID > ? ORDER BY ROWID ASC LIMIT ? swift/swift/common/db.py:440: "SELECT sync_point FROM %s_sync WHERE remote_id=?" nova/nova/db/sqlalchemy/migrate_repo/versions/152_change_type_of_deleted_column.py:40: return "INSERT INTO %s %s" % ( nova/nova/db/sqlalchemy/utils.py:64: return "INSERT INTO %s %s" % ( swift/swift/common/db.py:512: INSERT INTO %s_sync (sync_point, remote_id) swift/swift/common/db.py:376: UPDATE %s_stat SET id=? swift/swift/common/db.py:403: UPDATE %s_stat SET created_at=MIN(?, created_at), swift/swift/common/db.py:518: UPDATE %s_sync SET sync_point=max(?, sync_point) swift/swift/common/db.py:607: conn.execute('UPDATE %s_stat SET metadata = ?' % self.db_type, swift/swift/common/db.py:644: conn.execute('UPDATE %s_stat SET metadata = ?' % Upstream has been notified and investigation of these issues will be needed. These may not be exploitable so no CVE for now.