A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp.
Find out more about CVE-2018-1132 from the MITRE CVE dictionary dictionary and NIST NVD.
SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not included in the RHOSP package for opendaylight
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 7.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | High |
| Availability Impact | None |
| Platform | Package | State |
|---|---|---|
| Red Hat OpenStack Platform 9.0 | opendaylight | Not affected |
| Red Hat OpenStack Platform 8.0 (Liberty) | opendaylight | Not affected |
| Red Hat OpenStack Platform 13.0 (Queens) | opendaylight | Not affected |
| Red Hat OpenStack Platform 12.0 | opendaylight | Not affected |
| Red Hat OpenStack Platform 11.0 (Ocata) | opendaylight | Not affected |
| Red Hat OpenStack Platform 10 | opendaylight | Not affected |
Vulmon