CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46943
https://notcve.org/view.php?id=CVE-2024-46943
15 Sep 2024 — An issue was discovered in OpenDaylight Authentication, Authorization and Accounting (AAA) through 0.19.3. A rogue controller can join a cluster to impersonate an offline peer, even if this rogue controller does not possess the complete cluster configuration information. • https://docs.opendaylight.org/en/latest/release-notes/projects/aaa.html • CWE-520: .NET Misconfiguration: Use of Impersonation •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46942
https://notcve.org/view.php?id=CVE-2024-46942
15 Sep 2024 — In OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) through 13.0.1, a controller with a follower role can configure flow entries in an OpenDaylight clustering deployment. • https://docs.opendaylight.org/en/latest/release-notes/projects/mdsal.html • CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 3CVE-2018-1132 – OpenDaylight SQL Injection
https://notcve.org/view.php?id=CVE-2018-1132
24 May 2018 — A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp. SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not packaged in the opendaylight package included in RHEL. Se ha encontrado un error en SDNInterfaceapp (SDNI), ... • https://packetstorm.news/files/id/147856 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-1078
https://notcve.org/view.php?id=CVE-2018-1078
16 Mar 2018 — OpenDayLight version Carbon SR3 and earlier contain a vulnerability during node reconciliation that can result in traffic flows that should be expired or should expire shortly being re-installed and their timers reset resulting in traffic being allowed that should be expired. OpenDayLight, en versiones Carbon SR3 y anteriores, contiene una vulnerabilidad durante la reconciliación de nodos que puede resultar en flujos de tráfico que deberían estar caducados o deberían hacerlo en breves se reinstalen y result... • https://bugzilla.redhat.com/show_bug.cgi?id=1533501 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2017-1000411
https://notcve.org/view.php?id=CVE-2017-1000411
31 Jan 2018 — OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) ... • http://seclists.org/oss-sec/2018/q1/52 • CWE-404: Improper Resource Shutdown or Release •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000406
https://notcve.org/view.php?id=CVE-2017-1000406
30 Nov 2017 — OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart). OpenDaylight Karaf 0.6.1-Carbon no limpia la memoria caché después de un cambio de contraseña, permitiendo el uso de la contraseña antigua hasta que la memoria caché Karaf se limpie manualmente (por ejemplo, mediante reinicio). • http://seclists.org/oss-sec/2017/q4/320 • CWE-254: 7PK - Security Features •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 0CVE-2015-1778
https://notcve.org/view.php?id=CVE-2015-1778
27 Jun 2017 — The custom authentication realm used by karaf-tomcat's "opendaylight" realm in Opendaylight before Helium SR3 will authenticate any username and password combination. La autenticación personalizada realm utilizada por karaf-tomcat "opendaylight" en Opendaylight antes Helium SR3 autenticará cualquier nombre de usuario y combinación de contraseña. • http://www.openwall.com/lists/oss-security/2015/03/20/3 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2014-8149
https://notcve.org/view.php?id=CVE-2014-8149
27 Jun 2017 — OpenDaylight defense4all 1.1.0 and earlier allows remote authenticated users to write report data to arbitrary files. OpenDaylight defense4all 1.1.0 y versiones anteriores permite a usuarios autenticados remotamente escribir datos en archivos arbitrarios. • http://www.openwall.com/lists/oss-security/2015/01/22/1 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2017-1000359
https://notcve.org/view.php?id=CVE-2017-1000359
24 Apr 2017 — Java out of memory error and significant increase in resource consumption. Component: OpenDaylight odl-mdsal-xsql is vulnerable to this flaw. Version: The tested versions are OpenDaylight 3.3 and 4.0. Error de falta de memoria en Java y aumento significativo en el consumo de recursos. Componente: OpenDaylight odl-mdsal-xsql es vulnerable a este fallo. • https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2017-1000357
https://notcve.org/view.php?id=CVE-2017-1000357
24 Apr 2017 — Denial of Service attack when the switch rejects to receive packets from the controller. Component: This vulnerability affects OpenDaylight odl-l2switch-switch, which is the feature responsible for the OpenFlow communication. Version: OpenDaylight versions 3.3 (Lithium-SR3), 3.4 (Lithium-SR4), 4.0 (Beryllium), 4.1 (Beryllium-SR1), 4.2 (Beryllium-SR2), and 4.4 (Beryllium-SR4) are affected by this flaw. Java version is openjdk version 1.8.0_91. Un ataque de Denegación de Servicio cuando el switch rechaza reci... • https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf • CWE-400: Uncontrolled Resource Consumption •