CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-1132 – OpenDaylight SQL Injection
https://notcve.org/view.php?id=CVE-2018-1132
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp. SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not packaged in the opendaylight package included in RHEL. Se ha encontrado un error en SDNInterfaceapp (SDNI), de Opendaylight. • http://www.securityfocus.com/bid/104238 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1132 https://jira.opendaylight.org/browse/SDNINTRFAC-14 https://www.exploit-db.com/exploits/44747 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-1078
https://notcve.org/view.php?id=CVE-2018-1078
OpenDayLight version Carbon SR3 and earlier contain a vulnerability during node reconciliation that can result in traffic flows that should be expired or should expire shortly being re-installed and their timers reset resulting in traffic being allowed that should be expired. OpenDayLight, en versiones Carbon SR3 y anteriores, contiene una vulnerabilidad durante la reconciliación de nodos que puede resultar en flujos de tráfico que deberían estar caducados o deberían hacerlo en breves se reinstalen y resulten en la permisión de tráfico que debería estar caducado. • https://bugzilla.redhat.com/show_bug.cgi?id=1533501 https://jira.opendaylight.org/browse/OPNFLWPLUG-971 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2017-1000411
https://notcve.org/view.php?id=CVE-2017-1000411
OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) are removed from network (and thus also from controller's operations DS), the expired entries are still present in CONFIG DS. The attack can originate both from NORTH or SOUTH. The above description is for a north bound attack. • http://seclists.org/oss-sec/2018/q1/52 http://www.securityfocus.com/bid/102736 • CWE-404: Improper Resource Shutdown or Release •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000406
https://notcve.org/view.php?id=CVE-2017-1000406
OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart). OpenDaylight Karaf 0.6.1-Carbon no limpia la memoria caché después de un cambio de contraseña, permitiendo el uso de la contraseña antigua hasta que la memoria caché Karaf se limpie manualmente (por ejemplo, mediante reinicio). • http://seclists.org/oss-sec/2017/q4/320 https://git.opendaylight.org/gerrit/#/q/topic:AAA-151 https://jira.opendaylight.org/browse/AAA-151 • CWE-254: 7PK - Security Features •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8149
https://notcve.org/view.php?id=CVE-2014-8149
OpenDaylight defense4all 1.1.0 and earlier allows remote authenticated users to write report data to arbitrary files. OpenDaylight defense4all 1.1.0 y versiones anteriores permite a usuarios autenticados remotamente escribir datos en archivos arbitrarios. • http://www.openwall.com/lists/oss-security/2015/01/22/1 http://www.securityfocus.com/bid/72280 https://git.opendaylight.org/gerrit/#/c/13972 https://git.opendaylight.org/gerrit/#/c/14088 https://wiki.opendaylight.org/view/Security_Advisories • CWE-20: Improper Input Validation •