Vulnerability Description
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp. SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not packaged in the opendaylight package included in RHEL.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opendaylight | Sdninterfaceapp | <= carbon-sr4 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/104238Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1132Issue TrackingThird Party Advisory
- https://jira.opendaylight.org/browse/SDNINTRFAC-14ExploitThird Party Advisory
- https://www.exploit-db.com/exploits/44747/ExploitThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/bid/104238Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1132Issue TrackingThird Party Advisory
- https://jira.opendaylight.org/browse/SDNINTRFAC-14ExploitThird Party Advisory
- https://www.exploit-db.com/exploits/44747/ExploitThird Party AdvisoryVDB Entry
FAQ
What is CVE-2018-1132?
CVE-2018-1132 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp. SDNInterface has been...
How severe is CVE-2018-1132?
CVE-2018-1132 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1132?
Check the references section above for vendor advisories and patch information. Affected products include: Opendaylight Sdninterfaceapp.