Change abandoned by Sean Dague (sean at dague.net) on branch: master Review: https://review.openstack.org/131433 Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results. -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1370295 Title: Possible SQL Injection vulnerability in hyperv volumeutils2 Status in OpenStack Compute (Nova): Opinion Status in OpenStack Security Advisories: Won't Fix Bug description: This line: https://github.com/openstack/nova/blob/master/nova/virt/hyperv/volumeutilsv2.py#L54 makes a raw SQL query using input from target_address and target_port. If an attacker is able to manipulate either of these parameters, they can exploit a SQL injection vulnerability. If neither of these parameters can be controlled by an attacker, it's probably OK to fix this in public. These should definitely at least be strengthened by using prepared statements, or even better, a secure SQL library such as sqlalchemy. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1370295/+subscriptions