CVE-2018-1000616

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2018-1000616
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000616.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-1000616
Published
2018-07-09T20:29:00Z
Modified
2024-09-03T02:01:49.981803Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.

References

Affected packages

Git / github.com/opennetworkinglab/onos

Affected ranges

Type
GIT
Repo
https://github.com/opennetworkinglab/onos
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

1.*

1.0.0
1.1.0
1.1.0-rc2
1.10.0-rc1
1.11.0-b2
1.11.0-b3
1.11.0-b4
1.12.0-b1
1.12.0-b2
1.13.0
1.13.0-b5
1.13.0-b6
1.13.0-b7
1.13.0-b8
1.13.0-rc1
1.13.0-rc2
1.13.0-rc3
1.13.0-rc4
1.13.1
1.2.0
1.2.0-rc1
1.2.0-rc2
1.3.0-rc1
1.3.0-rc2
1.4.0
1.4.0-rc1
1.4.0-rc2
1.4.0-rc3
1.5.0
1.5.0-rc2
1.5.0-rc3
1.7.0-rc1
1.7.0-rc2
1.8.0-rc1
1.8.0-rc3
1.8.0-rc4
1.9.0-b1b
1.9.0-b3