Vulnerability CVE-2018-1132


Published: 2018-06-20

Description:
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp. SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not packaged in the opendaylight package included in RHEL.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
OpenDaylight SQL Injection
Jameel Nabbo
25.05.2018

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Opendaylight -> Sdninterfaceapp 

 References:
http://www.securityfocus.com/bid/104238
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1132
https://jira.opendaylight.org/browse/SDNINTRFAC-14
https://www.exploit-db.com/exploits/44747/

Copyright 2024, cxsecurity.com

 

Back to Top