Search criteria
39 vulnerabilities found for onos by onosproject
FKIE_CVE-2023-30093
Vulnerability from fkie_nvd - Published: 2023-05-04 22:15 - Updated: 2025-01-29 21:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A cross-site scripting (XSS) vulnerability in Open Networking Foundation ONOS from version v1.9.0 to v2.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter of the API documentation dashboard.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://www.edoardoottavianelli.it/CVE-2023-30093/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.youtube.com/watch?v=jZr2JhDd_S8 | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.edoardoottavianelli.it/CVE-2023-30093/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.youtube.com/watch?v=jZr2JhDd_S8 | Exploit |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| onosproject | onos | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onosproject:onos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F0A8426-D701-40EA-9262-E34C943948D8",
"versionEndIncluding": "2.7.0",
"versionStartIncluding": "1.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability in Open Networking Foundation ONOS from version v1.9.0 to v2.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter of the API documentation dashboard."
}
],
"id": "CVE-2023-30093",
"lastModified": "2025-01-29T21:15:17.983",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-05-04T22:15:09.120",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.edoardoottavianelli.it/CVE-2023-30093/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.youtube.com/watch?v=jZr2JhDd_S8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.edoardoottavianelli.it/CVE-2023-30093/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.youtube.com/watch?v=jZr2JhDd_S8"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2019-13624
Vulnerability from fkie_nvd - Published: 2019-07-17 03:15 - Updated: 2024-11-21 04:25
Severity ?
Summary
In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://gerrit.onosproject.org/#/c/20767/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gerrit.onosproject.org/#/c/20767/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| onosproject | onos | 1.15.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onosproject:onos:1.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F646EEC-BD3D-4B14-85B8-81152F67B9C6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command."
},
{
"lang": "es",
"value": "En ONOS versi\u00f3n 1.15.0, el archivo apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java maneja inapropiadamente los caracteres backquote dentro de cadenas que pueden ser usadas en un comando de shell."
}
],
"id": "CVE-2019-13624",
"lastModified": "2024-11-21T04:25:23.270",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-17T03:15:10.617",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/20767/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/20767/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-19"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-1000615
Vulnerability from fkie_nvd - Published: 2018-07-09 20:29 - Updated: 2024-11-21 03:40
Severity ?
Summary
ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network..
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://gms.cl0udz.com/OVSDB_DOS.pdf | Exploit, Third Party Advisory | |
| cve@mitre.org | https://gerrit.onosproject.org/#/c/18926/ | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://gms.cl0udz.com/OVSDB_DOS.pdf | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gerrit.onosproject.org/#/c/18926/ | Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| onosproject | onos | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onosproject:onos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "07932239-88E0-45F0-988B-99BAF9761472",
"versionEndIncluding": "1.13.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network.."
},
{
"lang": "es",
"value": "ONOS ONOS Controller en versiones 1.13.1 y anteriores contiene una vulnerabilidad de denegaci\u00f3n de servicio (cierre inesperado del servicio) en el componente OVSDB en ONOS que puede resultar en que un atacante pueda bloquear remotamente el controlador ONOS del servicio OVSDB mediante un switch normal. Este ataque parece ser explotable si el atacante controla o falsea un switch en la red."
}
],
"id": "CVE-2018-1000615",
"lastModified": "2024-11-21T03:40:14.247",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-09T20:29:00.423",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://gms.cl0udz.com/OVSDB_DOS.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/18926/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://gms.cl0udz.com/OVSDB_DOS.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/18926/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-1000614
Vulnerability from fkie_nvd - Published: 2018-07-09 20:29 - Updated: 2024-11-21 03:40
Severity ?
Summary
ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://gms.cl0udz.com/ONOS_Vul.pdf | Exploit, Third Party Advisory | |
| cve@mitre.org | https://gerrit.onosproject.org/#/c/18779/ | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://gms.cl0udz.com/ONOS_Vul.pdf | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gerrit.onosproject.org/#/c/18779/ | Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| onosproject | onos | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onosproject:onos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "07932239-88E0-45F0-988B-99BAF9761472",
"versionEndIncluding": "1.13.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message."
},
{
"lang": "es",
"value": "ONOS ONOS Controller en versiones 1.13.1 y anteriores contiene una vulnerabilidad XXE (XML External Entity) en providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java que puede resultar en que un atacante pueda ejecutar de manera remota ataques XXE avanzados en el controlador de ONOS sin autenticaci\u00f3n. Parece ser que este ataque puede ser explotado mediante un mensaje de protocolo manipulado."
}
],
"id": "CVE-2018-1000614",
"lastModified": "2024-11-21T03:40:14.093",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-09T20:29:00.377",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://gms.cl0udz.com/ONOS_Vul.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/18779/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://gms.cl0udz.com/ONOS_Vul.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/18779/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-1000616
Vulnerability from fkie_nvd - Published: 2018-07-09 20:29 - Updated: 2024-11-21 03:40
Severity ?
Summary
ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://gms.cl0udz.com/Openconfig_xxe.pdf | Exploit, Third Party Advisory | |
| cve@mitre.org | https://gerrit.onosproject.org/#/c/18894/ | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://gms.cl0udz.com/Openconfig_xxe.pdf | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gerrit.onosproject.org/#/c/18894/ | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| onosproject | onos | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onosproject:onos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "07932239-88E0-45F0-988B-99BAF9761472",
"versionEndIncluding": "1.13.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\\drivers\\utilities\\src\\main\\java\\org\\onosproject\\drivers\\utilities\\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity."
},
{
"lang": "es",
"value": "ONOS ONOS Controller en versiones 1.13.1 y anteriores contiene una vulnerabilidad XXE (XML External Entity) en onos\\drivers\\utilities\\src\\main\\java\\org\\onosproject\\drivers\\utilities\\XmlConfigParser.java en la funci\u00f3n loadxml() que puede resultar en en que un atacante puede ejecutar ataques XXE remotamente en el controlador ONOS mediante un dispositivo terminal OpenConfig. Este ataque parece ser explotable mediante conectividad de red."
}
],
"id": "CVE-2018-1000616",
"lastModified": "2024-11-21T03:40:14.390",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-09T20:29:00.503",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://gms.cl0udz.com/Openconfig_xxe.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/18894/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://gms.cl0udz.com/Openconfig_xxe.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/18894/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-12691
Vulnerability from fkie_nvd - Published: 2018-07-05 18:29 - Updated: 2024-11-21 03:45
Severity ?
Summary
Time-of-check to time-of-use (TOCTOU) race condition in org.onosproject.acl (aka the access control application) in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://gerrit.onosproject.org/#/c/18867/ | Patch, Third Party Advisory | |
| cve@mitre.org | https://wiki.onosproject.org/display/ONOS/Security+advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gerrit.onosproject.org/#/c/18867/ | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.onosproject.org/display/ONOS/Security+advisories | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| onosproject | onos | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onosproject:onos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24D9902E-5815-40A4-BE20-E5AA31E21C2E",
"versionEndIncluding": "1.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Time-of-check to time-of-use (TOCTOU) race condition in org.onosproject.acl (aka the access control application) in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection."
},
{
"lang": "es",
"value": "Condici\u00f3n de carrera TOCTOU (time-of-check to time-of-use) en org.onosproject.acl (tambi\u00e9n conocida como aplicaci\u00f3n de control de acceso) en ONOS v1.13 y anteriores permite que los atacantes omitan el control de acceso de red mediante la inyecci\u00f3n de paquetes del plano de datos."
}
],
"id": "CVE-2018-12691",
"lastModified": "2024-11-21T03:45:40.820",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-05T18:29:00.360",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/18867/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/18867/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-13762
Vulnerability from fkie_nvd - Published: 2017-08-30 00:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| onosproject | onos | 1.8.0 | |
| onosproject | onos | 1.9.0 | |
| onosproject | onos | 1.10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onosproject:onos:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "22DC5644-60E9-48F6-AF7B-B45E3376EFE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:onosproject:onos:1.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "589F0DEF-2F1C-4F0C-9700-6F0AEBEAC5E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:onosproject:onos:1.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "561BA05F-F588-4495-9462-F02A1467089B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS."
},
{
"lang": "es",
"value": "ONOS en sus versiones 1.8.0, 1.9.0, y 1.10.0 es vulnerable a Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2017-13762",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-30T00:29:00.500",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14031/"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14049/"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14050/"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14066/"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14067/"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14069/"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14148/"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14170/"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14179/"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14182/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14031/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14049/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14050/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14066/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14067/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14069/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14148/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14170/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14179/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14182/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-13763
Vulnerability from fkie_nvd - Published: 2017-08-30 00:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty payload size is not limited.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://gerrit.onosproject.org/#/c/13831/ | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://gerrit.onosproject.org/#/c/14318/ | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gerrit.onosproject.org/#/c/13831/ | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gerrit.onosproject.org/#/c/14318/ | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| onosproject | onos | 1.8.0 | |
| onosproject | onos | 1.9.0 | |
| onosproject | onos | 1.10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onosproject:onos:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "22DC5644-60E9-48F6-AF7B-B45E3376EFE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:onosproject:onos:1.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "589F0DEF-2F1C-4F0C-9700-6F0AEBEAC5E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:onosproject:onos:1.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "561BA05F-F588-4495-9462-F02A1467089B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty payload size is not limited."
},
{
"lang": "es",
"value": "ONOS en sus versiones 1.8.0, 1.9.0, y 1.10.0 no restringe la cantidad de memoria asignada. El tama\u00f1o de payload de Netty no se encuentra limitado."
}
],
"id": "CVE-2017-13763",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-30T00:29:00.547",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/13831/"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14318/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/13831/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/14318/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-7516
Vulnerability from fkie_nvd - Published: 2017-08-24 20:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
ONOS before 1.5.0 when using the ifwd app allows remote attackers to cause a denial of service (NULL pointer dereference and switch disconnect) by sending two Ethernet frames with ether_type Jumbo Frame (0x8870).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| onosproject | onos | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onosproject:onos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "880DF3D2-2D06-48E3-B640-539E73835492",
"versionEndIncluding": "1.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ONOS before 1.5.0 when using the ifwd app allows remote attackers to cause a denial of service (NULL pointer dereference and switch disconnect) by sending two Ethernet frames with ether_type Jumbo Frame (0x8870)."
},
{
"lang": "es",
"value": "ONOS en versiones anteriores a la 1.5.0 al emplear la app ifwd permite que atacantes remotos provoquen una denegaci\u00f3n de servicio (desreferencia de puntero NULL y desconexi\u00f3n de switch) mediante el env\u00edo de dos frames Ethernet con Jumbo Frame ether_type (0x8870)."
}
],
"id": "CVE-2015-7516",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-24T20:29:00.517",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/11/26/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/77752"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/6137/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.onosproject.org/browse/ONOS-3349"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/11/26/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/77752"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://gerrit.onosproject.org/#/c/6137/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.onosproject.org/browse/ONOS-3349"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-1000081
Vulnerability from fkie_nvd - Published: 2017-07-17 13:18 - Updated: 2025-04-20 01:37
Severity ?
Summary
Linux foundation ONOS 1.9.0 is vulnerable to unauthenticated upload of applications (.oar) resulting in remote code execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| onosproject | onos | 1.8.0 | |
| onosproject | onos | 1.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onosproject:onos:1.8.0:-:*:*:*:*:*:*",
"matchCriteriaId": "5A51ADFD-8C5C-44BC-9BE0-869D0A68BCE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:onosproject:onos:1.9.0:-:*:*:*:*:*:*",
"matchCriteriaId": "ECD116BB-602C-4A86-97D1-58C0875B6AA0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Linux foundation ONOS 1.9.0 is vulnerable to unauthenticated upload of applications (.oar) resulting in remote code execution."
},
{
"lang": "es",
"value": "Linux foundation ONOS versi\u00f3n 1.9.0, es vulnerable a la carga no autenticada de aplicaciones (.oar) resultando en la ejecuci\u00f3n de c\u00f3digo remota."
}
],
"id": "CVE-2017-1000081",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-17T13:18:18.517",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-1000080
Vulnerability from fkie_nvd - Published: 2017-07-17 13:18 - Updated: 2025-04-20 01:37
Severity ?
Summary
Linux foundation ONOS 1.9.0 allows unauthenticated use of websockets.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| onosproject | onos | 1.8.0 | |
| onosproject | onos | 1.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onosproject:onos:1.8.0:-:*:*:*:*:*:*",
"matchCriteriaId": "5A51ADFD-8C5C-44BC-9BE0-869D0A68BCE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:onosproject:onos:1.9.0:-:*:*:*:*:*:*",
"matchCriteriaId": "ECD116BB-602C-4A86-97D1-58C0875B6AA0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Linux foundation ONOS 1.9.0 allows unauthenticated use of websockets."
},
{
"lang": "es",
"value": "Linux foundation ONOS versi\u00f3n 1.9.0, permite el uso no autenticado de websockets."
}
],
"id": "CVE-2017-1000080",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-17T13:18:18.483",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-1000078
Vulnerability from fkie_nvd - Published: 2017-07-17 13:18 - Updated: 2025-04-20 01:37
Severity ?
Summary
Linux foundation ONOS 1.9 is vulnerable to XSS in the device. registration
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| onosproject | onos | 1.8.0 | |
| onosproject | onos | 1.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:onosproject:onos:1.8.0:-:*:*:*:*:*:*",
"matchCriteriaId": "5A51ADFD-8C5C-44BC-9BE0-869D0A68BCE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:onosproject:onos:1.9.0:-:*:*:*:*:*:*",
"matchCriteriaId": "ECD116BB-602C-4A86-97D1-58C0875B6AA0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Linux foundation ONOS 1.9 is vulnerable to XSS in the device. registration"
},
{
"lang": "es",
"value": "Linux foundation ONOS versi\u00f3n 1.9, es vulnerable a XSS en el Registro del Dispositivo."
}
],
"id": "CVE-2017-1000078",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-17T13:18:18.423",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-30093 (GCVE-0-2023-30093)
Vulnerability from cvelistv5 – Published: 2023-05-04 00:00 – Updated: 2025-01-29 20:46
VLAI?
Summary
A cross-site scripting (XSS) vulnerability in Open Networking Foundation ONOS from version v1.9.0 to v2.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter of the API documentation dashboard.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:21:44.517Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.edoardoottavianelli.it/CVE-2023-30093/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.youtube.com/watch?v=jZr2JhDd_S8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-30093",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T20:46:39.157321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T20:46:44.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability in Open Networking Foundation ONOS from version v1.9.0 to v2.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter of the API documentation dashboard."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-11T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.edoardoottavianelli.it/CVE-2023-30093/"
},
{
"url": "https://www.youtube.com/watch?v=jZr2JhDd_S8"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-30093",
"datePublished": "2023-05-04T00:00:00.000Z",
"dateReserved": "2023-04-07T00:00:00.000Z",
"dateUpdated": "2025-01-29T20:46:44.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-13624 (GCVE-0-2019-13624)
Vulnerability from cvelistv5 – Published: 2019-07-17 02:15 – Updated: 2024-08-04 23:57
VLAI?
Summary
In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:57:39.467Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/20767/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-17T02:15:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gerrit.onosproject.org/#/c/20767/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13624",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gerrit.onosproject.org/#/c/20767/",
"refsource": "MISC",
"url": "https://gerrit.onosproject.org/#/c/20767/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13624",
"datePublished": "2019-07-17T02:15:54",
"dateReserved": "2019-07-16T00:00:00",
"dateUpdated": "2024-08-04T23:57:39.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000614 (GCVE-0-2018-1000614)
Vulnerability from cvelistv5 – Published: 2018-07-09 20:00 – Updated: 2024-09-17 00:07
VLAI?
Summary
ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.675Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/18779/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://gms.cl0udz.com/ONOS_Vul.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-07-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-09T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/18779/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://gms.cl0udz.com/ONOS_Vul.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-07-08T15:52:41.191908",
"DATE_REQUESTED": "2018-06-24T12:50:55",
"ID": "CVE-2018-1000614",
"REQUESTER": "f3i@t00ls.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gerrit.onosproject.org/#/c/18779/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/18779/"
},
{
"name": "http://gms.cl0udz.com/ONOS_Vul.pdf",
"refsource": "MISC",
"url": "http://gms.cl0udz.com/ONOS_Vul.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000614",
"datePublished": "2018-07-09T20:00:00Z",
"dateReserved": "2018-07-09T00:00:00Z",
"dateUpdated": "2024-09-17T00:07:03.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000616 (GCVE-0-2018-1000616)
Vulnerability from cvelistv5 – Published: 2018-07-09 20:00 – Updated: 2024-09-17 01:31
VLAI?
Summary
ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/18894/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://gms.cl0udz.com/Openconfig_xxe.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-07-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\\drivers\\utilities\\src\\main\\java\\org\\onosproject\\drivers\\utilities\\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-09T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/18894/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://gms.cl0udz.com/Openconfig_xxe.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-07-08T15:52:41.194245",
"DATE_REQUESTED": "2018-06-28T03:02:59",
"ID": "CVE-2018-1000616",
"REQUESTER": "f3i@t00ls.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\\drivers\\utilities\\src\\main\\java\\org\\onosproject\\drivers\\utilities\\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gerrit.onosproject.org/#/c/18894/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/18894/"
},
{
"name": "http://gms.cl0udz.com/Openconfig_xxe.pdf",
"refsource": "MISC",
"url": "http://gms.cl0udz.com/Openconfig_xxe.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000616",
"datePublished": "2018-07-09T20:00:00Z",
"dateReserved": "2018-07-09T00:00:00Z",
"dateUpdated": "2024-09-17T01:31:35.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000615 (GCVE-0-2018-1000615)
Vulnerability from cvelistv5 – Published: 2018-07-09 20:00 – Updated: 2024-09-16 20:16
VLAI?
Summary
ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network..
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.558Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://gms.cl0udz.com/OVSDB_DOS.pdf"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/18926/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-07-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network.."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-09T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://gms.cl0udz.com/OVSDB_DOS.pdf"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/18926/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-07-08T15:52:41.193067",
"DATE_REQUESTED": "2018-06-28T02:58:34",
"ID": "CVE-2018-1000615",
"REQUESTER": "f3i@t00ls.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network.."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://gms.cl0udz.com/OVSDB_DOS.pdf",
"refsource": "MISC",
"url": "http://gms.cl0udz.com/OVSDB_DOS.pdf"
},
{
"name": "https://gerrit.onosproject.org/#/c/18926/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/18926/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000615",
"datePublished": "2018-07-09T20:00:00Z",
"dateReserved": "2018-07-09T00:00:00Z",
"dateUpdated": "2024-09-16T20:16:40.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-12691 (GCVE-0-2018-12691)
Vulnerability from cvelistv5 – Published: 2018-07-05 18:00 – Updated: 2024-08-05 08:45
VLAI?
Summary
Time-of-check to time-of-use (TOCTOU) race condition in org.onosproject.acl (aka the access control application) in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:45:00.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/18867/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-06-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Time-of-check to time-of-use (TOCTOU) race condition in org.onosproject.acl (aka the access control application) in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-05T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/18867/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-12691",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Time-of-check to time-of-use (TOCTOU) race condition in org.onosproject.acl (aka the access control application) in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gerrit.onosproject.org/#/c/18867/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/18867/"
},
{
"name": "https://wiki.onosproject.org/display/ONOS/Security+advisories",
"refsource": "CONFIRM",
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-12691",
"datePublished": "2018-07-05T18:00:00",
"dateReserved": "2018-06-23T00:00:00",
"dateUpdated": "2024-08-05T08:45:00.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-13763 (GCVE-0-2017-13763)
Vulnerability from cvelistv5 – Published: 2017-08-30 00:00 – Updated: 2024-09-16 23:46
VLAI?
Summary
ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty payload size is not limited.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:05:19.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/13831/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14318/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty payload size is not limited."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-30T00:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/13831/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14318/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-13763",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty payload size is not limited."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gerrit.onosproject.org/#/c/13831/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/13831/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14318/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14318/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-13763",
"datePublished": "2017-08-30T00:00:00Z",
"dateReserved": "2017-08-29T00:00:00Z",
"dateUpdated": "2024-09-16T23:46:15.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-13762 (GCVE-0-2017-13762)
Vulnerability from cvelistv5 – Published: 2017-08-30 00:00 – Updated: 2024-09-16 16:18
VLAI?
Summary
ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:05:20.045Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14067/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14069/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14182/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14050/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14049/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14031/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14148/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14179/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14170/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14066/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-30T00:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14067/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14069/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14182/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14050/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14049/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14031/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14148/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14179/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14170/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14066/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-13762",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gerrit.onosproject.org/#/c/14067/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14067/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14069/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14069/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14182/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14182/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14050/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14050/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14049/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14049/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14031/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14031/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14148/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14148/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14179/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14179/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14170/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14170/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14066/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14066/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-13762",
"datePublished": "2017-08-30T00:00:00Z",
"dateReserved": "2017-08-29T00:00:00Z",
"dateUpdated": "2024-09-16T16:18:59.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7516 (GCVE-0-2015-7516)
Vulnerability from cvelistv5 – Published: 2017-08-24 20:00 – Updated: 2024-08-06 07:51
VLAI?
Summary
ONOS before 1.5.0 when using the ifwd app allows remote attackers to cause a denial of service (NULL pointer dereference and switch disconnect) by sending two Ethernet frames with ether_type Jumbo Frame (0x8870).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.322Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.onosproject.org/browse/ONOS-3349"
},
{
"name": "[oss-security] 20151125 Re: CVE request: DoS in ONOS when handling jumbo ethernet frames",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/11/26/1"
},
{
"name": "77752",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/77752"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/6137/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ONOS before 1.5.0 when using the ifwd app allows remote attackers to cause a denial of service (NULL pointer dereference and switch disconnect) by sending two Ethernet frames with ether_type Jumbo Frame (0x8870)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-24T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.onosproject.org/browse/ONOS-3349"
},
{
"name": "[oss-security] 20151125 Re: CVE request: DoS in ONOS when handling jumbo ethernet frames",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/11/26/1"
},
{
"name": "77752",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/77752"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gerrit.onosproject.org/#/c/6137/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-7516",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ONOS before 1.5.0 when using the ifwd app allows remote attackers to cause a denial of service (NULL pointer dereference and switch disconnect) by sending two Ethernet frames with ether_type Jumbo Frame (0x8870)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.onosproject.org/browse/ONOS-3349",
"refsource": "CONFIRM",
"url": "https://jira.onosproject.org/browse/ONOS-3349"
},
{
"name": "[oss-security] 20151125 Re: CVE request: DoS in ONOS when handling jumbo ethernet frames",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/11/26/1"
},
{
"name": "77752",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/77752"
},
{
"name": "https://wiki.onosproject.org/display/ONOS/Security+advisories",
"refsource": "CONFIRM",
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
},
{
"name": "https://gerrit.onosproject.org/#/c/6137/",
"refsource": "MISC",
"url": "https://gerrit.onosproject.org/#/c/6137/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-7516",
"datePublished": "2017-08-24T20:00:00",
"dateReserved": "2015-09-29T00:00:00",
"dateUpdated": "2024-08-06T07:51:28.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30093 (GCVE-0-2023-30093)
Vulnerability from nvd – Published: 2023-05-04 00:00 – Updated: 2025-01-29 20:46
VLAI?
Summary
A cross-site scripting (XSS) vulnerability in Open Networking Foundation ONOS from version v1.9.0 to v2.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter of the API documentation dashboard.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:21:44.517Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.edoardoottavianelli.it/CVE-2023-30093/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.youtube.com/watch?v=jZr2JhDd_S8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-30093",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T20:46:39.157321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T20:46:44.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability in Open Networking Foundation ONOS from version v1.9.0 to v2.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter of the API documentation dashboard."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-11T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.edoardoottavianelli.it/CVE-2023-30093/"
},
{
"url": "https://www.youtube.com/watch?v=jZr2JhDd_S8"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-30093",
"datePublished": "2023-05-04T00:00:00.000Z",
"dateReserved": "2023-04-07T00:00:00.000Z",
"dateUpdated": "2025-01-29T20:46:44.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-13624 (GCVE-0-2019-13624)
Vulnerability from nvd – Published: 2019-07-17 02:15 – Updated: 2024-08-04 23:57
VLAI?
Summary
In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:57:39.467Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/20767/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-17T02:15:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gerrit.onosproject.org/#/c/20767/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13624",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gerrit.onosproject.org/#/c/20767/",
"refsource": "MISC",
"url": "https://gerrit.onosproject.org/#/c/20767/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13624",
"datePublished": "2019-07-17T02:15:54",
"dateReserved": "2019-07-16T00:00:00",
"dateUpdated": "2024-08-04T23:57:39.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000614 (GCVE-0-2018-1000614)
Vulnerability from nvd – Published: 2018-07-09 20:00 – Updated: 2024-09-17 00:07
VLAI?
Summary
ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.675Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/18779/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://gms.cl0udz.com/ONOS_Vul.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-07-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-09T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/18779/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://gms.cl0udz.com/ONOS_Vul.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-07-08T15:52:41.191908",
"DATE_REQUESTED": "2018-06-24T12:50:55",
"ID": "CVE-2018-1000614",
"REQUESTER": "f3i@t00ls.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gerrit.onosproject.org/#/c/18779/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/18779/"
},
{
"name": "http://gms.cl0udz.com/ONOS_Vul.pdf",
"refsource": "MISC",
"url": "http://gms.cl0udz.com/ONOS_Vul.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000614",
"datePublished": "2018-07-09T20:00:00Z",
"dateReserved": "2018-07-09T00:00:00Z",
"dateUpdated": "2024-09-17T00:07:03.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000616 (GCVE-0-2018-1000616)
Vulnerability from nvd – Published: 2018-07-09 20:00 – Updated: 2024-09-17 01:31
VLAI?
Summary
ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/18894/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://gms.cl0udz.com/Openconfig_xxe.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-07-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\\drivers\\utilities\\src\\main\\java\\org\\onosproject\\drivers\\utilities\\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-09T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/18894/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://gms.cl0udz.com/Openconfig_xxe.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-07-08T15:52:41.194245",
"DATE_REQUESTED": "2018-06-28T03:02:59",
"ID": "CVE-2018-1000616",
"REQUESTER": "f3i@t00ls.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\\drivers\\utilities\\src\\main\\java\\org\\onosproject\\drivers\\utilities\\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gerrit.onosproject.org/#/c/18894/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/18894/"
},
{
"name": "http://gms.cl0udz.com/Openconfig_xxe.pdf",
"refsource": "MISC",
"url": "http://gms.cl0udz.com/Openconfig_xxe.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000616",
"datePublished": "2018-07-09T20:00:00Z",
"dateReserved": "2018-07-09T00:00:00Z",
"dateUpdated": "2024-09-17T01:31:35.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000615 (GCVE-0-2018-1000615)
Vulnerability from nvd – Published: 2018-07-09 20:00 – Updated: 2024-09-16 20:16
VLAI?
Summary
ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network..
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.558Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://gms.cl0udz.com/OVSDB_DOS.pdf"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/18926/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-07-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network.."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-09T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://gms.cl0udz.com/OVSDB_DOS.pdf"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/18926/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-07-08T15:52:41.193067",
"DATE_REQUESTED": "2018-06-28T02:58:34",
"ID": "CVE-2018-1000615",
"REQUESTER": "f3i@t00ls.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network.."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://gms.cl0udz.com/OVSDB_DOS.pdf",
"refsource": "MISC",
"url": "http://gms.cl0udz.com/OVSDB_DOS.pdf"
},
{
"name": "https://gerrit.onosproject.org/#/c/18926/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/18926/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000615",
"datePublished": "2018-07-09T20:00:00Z",
"dateReserved": "2018-07-09T00:00:00Z",
"dateUpdated": "2024-09-16T20:16:40.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-12691 (GCVE-0-2018-12691)
Vulnerability from nvd – Published: 2018-07-05 18:00 – Updated: 2024-08-05 08:45
VLAI?
Summary
Time-of-check to time-of-use (TOCTOU) race condition in org.onosproject.acl (aka the access control application) in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:45:00.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/18867/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-06-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Time-of-check to time-of-use (TOCTOU) race condition in org.onosproject.acl (aka the access control application) in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-05T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/18867/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-12691",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Time-of-check to time-of-use (TOCTOU) race condition in org.onosproject.acl (aka the access control application) in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gerrit.onosproject.org/#/c/18867/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/18867/"
},
{
"name": "https://wiki.onosproject.org/display/ONOS/Security+advisories",
"refsource": "CONFIRM",
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-12691",
"datePublished": "2018-07-05T18:00:00",
"dateReserved": "2018-06-23T00:00:00",
"dateUpdated": "2024-08-05T08:45:00.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-13763 (GCVE-0-2017-13763)
Vulnerability from nvd – Published: 2017-08-30 00:00 – Updated: 2024-09-16 23:46
VLAI?
Summary
ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty payload size is not limited.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:05:19.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/13831/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14318/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty payload size is not limited."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-30T00:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/13831/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14318/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-13763",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty payload size is not limited."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gerrit.onosproject.org/#/c/13831/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/13831/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14318/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14318/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-13763",
"datePublished": "2017-08-30T00:00:00Z",
"dateReserved": "2017-08-29T00:00:00Z",
"dateUpdated": "2024-09-16T23:46:15.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-13762 (GCVE-0-2017-13762)
Vulnerability from nvd – Published: 2017-08-30 00:00 – Updated: 2024-09-16 16:18
VLAI?
Summary
ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:05:20.045Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14067/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14069/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14182/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14050/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14049/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14031/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14148/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14179/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14170/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/14066/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-30T00:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14067/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14069/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14182/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14050/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14049/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14031/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14148/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14179/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14170/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.onosproject.org/#/c/14066/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-13762",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gerrit.onosproject.org/#/c/14067/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14067/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14069/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14069/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14182/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14182/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14050/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14050/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14049/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14049/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14031/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14031/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14148/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14148/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14179/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14179/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14170/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14170/"
},
{
"name": "https://gerrit.onosproject.org/#/c/14066/",
"refsource": "CONFIRM",
"url": "https://gerrit.onosproject.org/#/c/14066/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-13762",
"datePublished": "2017-08-30T00:00:00Z",
"dateReserved": "2017-08-29T00:00:00Z",
"dateUpdated": "2024-09-16T16:18:59.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7516 (GCVE-0-2015-7516)
Vulnerability from nvd – Published: 2017-08-24 20:00 – Updated: 2024-08-06 07:51
VLAI?
Summary
ONOS before 1.5.0 when using the ifwd app allows remote attackers to cause a denial of service (NULL pointer dereference and switch disconnect) by sending two Ethernet frames with ether_type Jumbo Frame (0x8870).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.322Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.onosproject.org/browse/ONOS-3349"
},
{
"name": "[oss-security] 20151125 Re: CVE request: DoS in ONOS when handling jumbo ethernet frames",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/11/26/1"
},
{
"name": "77752",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/77752"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gerrit.onosproject.org/#/c/6137/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ONOS before 1.5.0 when using the ifwd app allows remote attackers to cause a denial of service (NULL pointer dereference and switch disconnect) by sending two Ethernet frames with ether_type Jumbo Frame (0x8870)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-24T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.onosproject.org/browse/ONOS-3349"
},
{
"name": "[oss-security] 20151125 Re: CVE request: DoS in ONOS when handling jumbo ethernet frames",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/11/26/1"
},
{
"name": "77752",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/77752"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gerrit.onosproject.org/#/c/6137/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-7516",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ONOS before 1.5.0 when using the ifwd app allows remote attackers to cause a denial of service (NULL pointer dereference and switch disconnect) by sending two Ethernet frames with ether_type Jumbo Frame (0x8870)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.onosproject.org/browse/ONOS-3349",
"refsource": "CONFIRM",
"url": "https://jira.onosproject.org/browse/ONOS-3349"
},
{
"name": "[oss-security] 20151125 Re: CVE request: DoS in ONOS when handling jumbo ethernet frames",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/11/26/1"
},
{
"name": "77752",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/77752"
},
{
"name": "https://wiki.onosproject.org/display/ONOS/Security+advisories",
"refsource": "CONFIRM",
"url": "https://wiki.onosproject.org/display/ONOS/Security+advisories"
},
{
"name": "https://gerrit.onosproject.org/#/c/6137/",
"refsource": "MISC",
"url": "https://gerrit.onosproject.org/#/c/6137/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-7516",
"datePublished": "2017-08-24T20:00:00",
"dateReserved": "2015-09-29T00:00:00",
"dateUpdated": "2024-08-06T07:51:28.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}